Security Vulnerability in PGP and S/MIME Clients, Part 1

Matti Suominen

Matti Suominen

Lead Consultant

May 14, 2018 at 12:08
Originally published at 12:08 EEST on May 14, 2018.
Note that this article discusses current on-going events and some information may have changed since publishing.

Every year we see predictions that e-mail is finally going away and being replaced by some different form of communication media – instant messaging systems like Skype, chat forum applications like Slack and so forth. Yet, year after year e-mail is still here. Majority of communications, especially those between companies, are still carried out through the good old e-mail that has been with us since the 70’s. Even outside of the business context, e-mail is still going strong.

Need further proof? Look no further than the following site: https://www.emailisnotdead.com/

email

For this reason, any time there is a security concern that affects e-mail clients, it’s a big deal. E-mail has several characteristics which make it a great vector for carrying out cyber-attacks

  • Anyone can send anyone e-mail without knowing the recipient based on e-mail addresses that are easy to find out in large volumes
  • Messages arrive immediately and, unless removed by a spam filter or similar, are usually opened to check what the contents are
  • Sending messages is virtually free for the sender, even to millions of recipients all over the world

Warning about an upcoming security vulnerability affecting e-mail clients just came out from security researchers. The full details are not out yet but researchers have given out instructions on how to stay safe once the information comes out. Details are currently vague but the information out so far suggests that disabling PGP and S/MIME plugins from e-mail clients should be done as soon as possible. PGP and S/MIME are methods for encrypting e-mails so that they cannot be read by third parties that might gain access to the messages without having the decryption key in their possession. By default, e-mail has no encryption and all messages are sent in plain text format. Some companies use one of these methods to encrypt sensitive communications.

See the warning and follow-up discussion directly from the researchers:
https://twitter.com/seecurity/status/995906576170053633

Before new information comes out, make sure you do the following:

  • Ensure that all PGP and S/MIME plug-ins which automatically decrypt e-mails are disabled on all e-mail clients in your organization
  • Follow up on new information that should come out tomorrow on Tuesday 15th at 7:00 AM UTC in form of a research paper

How to disable these plug-ins depends on the client you are using

There is information for various clients and plug-ins available on EFF site:
https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

If your organization is not using PGP or S/MIME, you are not affected by this issue according to information that is out there currently. However, it’s possible that some security-conscious users may have installed such plug-ins on their own.

We’ll follow up on the topic tomorrow to see and report on what the impact of the issue will be and how to react.