SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Apple Mail Vendors:   Apple
Apple Mail Decrypted HTML Parsing Flaw Lets Remote Users Decrypt and Obtain Potentially Sensitive Information from the Target User's Email Client
SecurityTracker Alert ID:  1040905
SecurityTracker URL:  http://securitytracker.com/id/1040905
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 14 2018
Impact:   Disclosure of user information
Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   A vulnerability was reported in Apple Mail. A remote user can decrypt and obtain potentially sensitive information on the target system.

A remote user with access to a target user's PGP or S/MIME encrypted email message can create a specially crafted multipart email message that includes a modified version of the encrypted content. When the target user decrypts and views the email message, the target user's mail client will disclose the plaintext to a remote URL.

This exploit is the direct exfiltration attack method of the vulnerability referred to as "EFAIL".

The vendor was notified on February 10, 2018.

The original advisory is available at:

https://efail.de/efail-attack-paper.pdf

Damian Poddebniak, Christian Dresen, Jens Muller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jorg Schwenk reported this vulnerability.

Impact:   A remote user with access to a target user's PGP or S/MIME encrypted email message can obtain decrypted plaintext from the target user's mail client.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.apple.com/ (Links to External Site)
Cause:   Access control error, State error
Underlying OS:  UNIX (macOS/OS X)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 14 2018 (Apple iOS is Affected) Apple Mail Decrypted HTML Parsing Flaw Lets Remote Users Decrypt and Obtain Potentially Sensitive Information from the Target User's Email Client
The mail app on Apple iOS is affected.



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC