The GPG plugin for macOS will be releasing an update to mitigate against these attacks soon.
According to the researchers, users, for the time being, should stay away from plugins for email clients like Microsoft Outlook and Apple Mail as these services automatically encrypt and decrypt emails.
The use of PGP for secure communications has been advocated, among others, by Edward Snowden, who blew the whistle on pervasive electronic surveillance at the US National Security Agency before fleeing to Russian Federation. Secure/Multipurpose Internet Mail Extensions (S/MIME) is an alternative end-to-end encryption standard that is used to secure corporate email communication. In fact, the only clients protected against S/Mime attacks are Claws Mail and Mutt whereas more clients are protected against PGP-targeting attacks. This requires the attackers to already have gained access to the encrypted message by "eavesdropping on network traffic, compromising email accounts, email servers, backup systems, or client computers".
Professor Schinzel is a member of a research team consisting of a long list of respected security researchers, and which has been responsible for uncovering a number of cryptographic vulnerabilities.
"The best way to prevent EFAIL attacks is to only decrypt S/MIME or PGP emails in a separate application outside of your email client". This new vulnerability allows hackers and attackers the ability to read encrypted HTML emails in plaintext files. "We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard-conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption".
Stars descend on Cannes as 71st film festival begins
But he's also signaled that the festival is reanalyzing its procedures and making its selection committees gender-balanced. As the who's who of the movie industry arrived into the French city, the impact of #MeToo is still being felt.
The research paper details a method whereby the simple omission of not closing the URL with quotes can enable an attacker to get access to the decrypted email contents.
The Gnu Privacy Guard (GnuPG) team responded to the EFF's warnings by saying the problem lies with how email clients implement OpenPGP, not with the protocol itself. The program also sees implementation in desktop programs for data encryption. "Having used PGP since 1993, this sounds baaad".
If you've been using PGP or S/MIME to securely send and receive sensitive emails, you'll want to stop using them right away, as a group of European researchers have found vulnerabilities in both standards. They do note, however, that disabling HTML rendering won't completely stop EFAIL attacks.
Graham had a different take: "Instead of disabling PGP/S/MIME, you should make sure your email client hast remote/external content disabled - that's a huge privacy violation even without this bug".