How to protect yourself from the EFAIL vulnerability on Mac and iOS

Idownloadblog ^ | May 14, 2018 | By Bryan M. Wolfe

[Swordmaker]

Here’s how to protect yourself from the EFAIL vulnerability in Apple Mail on both iOS and macOS. These temporary fixes come after the new vulnerability was discovered that allows hackers to derive decrypted plaintext from encrypted emails. For the attack to work, the third party must be in possession of your encrypted S/MIME or PGP emails. 

Although Apple’s likely to offer a fix to this vulnerability sooner rather than later, there are things you can do now to make your email more secure.

The Electronic Frontier Foundation (EFF) was the first to discover this vulnerability.

Method 1

As previously mentioned, the first method involves removing the GPGTools/GPGMail encryption plugin from Apple Mail on macOS. To do so:

1. Quit Apple Mail (Mail > Quit Mail in the menu bar)
2. Click on your desktop and in the Finder menu bar, select Go > Go to Folder
3. From here, type /Library/Mail/Bundles, then click Go
4. Delete the GPGMail.mailbundle file by dragging it to the Mac trash in your dock or by right-clicking it and selecting Move to Trash in the drop-down menu
5. If you don’t see GPGMail.mailbundle file, return to the previous step and type ~/Library/Mail/Bundles in the Go to Folder dialog
6. Please note: You may need to type the administrator password for your Mac before deleting the file

Method 2

On iOS, you’ll need to just change the setting called “Load Remote Images.” To do so:

1. Go into the Settings app and select Mail
2. Under Message, toggle Load Remote Images to the off position
3. It’s that simple

Removing EFAIL vulnerability — final words

Keep in mind this vulnerability is most likely to occur in an environment that relies on S/MIME and PGP encrypted email communications to talk in private. The average Apple Mail user is almost certainly not using any of these tools.

You can read the technical details about the vulnerability from the EFF website.

We’ll let you know when Apple pushes out a fix for this issue. In the meantime, let us know what you think about this newly discovered vulnerability in Apple Mail and other email clients by leaving a comment below.

[PA Engineer]

Thanks. BTTT.

[Swordmaker]

If you use Pretty Good Privacy (PGP) encryption on your emails on an iPhone or Mac's Mail app with GPGTools, Thunderbird with Enigmail, or Windows with Outlook with Gpg4win, there is a flaw called EFail that COULD allow a third-party who has intercepted one of your encrypted emails who could then send you specially crafted MIME file that contained script that would allow decryption of your messages. This posting covers mitigation for Apple users of PGP, but other platforms who use it should look for mitigation for their platforms. Not all email clients are vulnerable. —PING!

Cross Platform PGP EFail Compromise Ping!

If you want on or off the Mac Ping List, Freepmail me.

[Swordmaker]

EFF Foundation on eFail problem.

[Mark17]

Bookmark

[palmer]

I read the efail paper: https://efail.de/efail-attack-paper.pdf What is not clear is this statement in the abstract: "The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker."

There's not much more on revealing plaintext of other emails other than the one sent by the attackers. The rest of the paper seems to leave that as an exercise, and just a possibiity. Other sources like SANS commentary says "Notably, the attacker needs full access to the target user's email account,..." presumably through some other flaws or vulnerabilities. It's pretty useless to simply expose the plaintext of an email sent by an attacker back to the attacker. The attacker obviously wants other plaintext of other emails in the user's inbox and there's no explanation in the academic paper of how to do that.

As a PGP user, I rate this concern "unverified". In any case, I never turn on (or always turn off) HTML fetching such as external images. It destroys privacy, wastes bandwidth, and the downloaded window dressing is totally useless.

[zeugma]

My email client (thunderbird) doesn’t load remote images unless I tell it to do so. Love the Enigmail plugin for PGP/GPG

[Irish Eyes]

Bookmark

[The Westerner]

Hi Sword, it’s been awhile since we last communicated. I’m getting used to the Macbook laptop but still using the mini iPad and iPhone almost seamlessly. Only observation is the battery needs recharging once during the day if certain programs are used. Not a complaint, just an observation.
Lately, I’ve been reconsidering my gmail account and started paying for Hushmail. Have you any thoughts about Hippa compliant email services? Thanks. Hope you and the gf are well,
TW