Vulnerable clients (was: US-CERT now issuing a warning for OpenPGP-SMIME-Mail-Client-Vulnerabilities)

Matthias Apitz guru at unixarea.de
Wed May 16 10:02:21 CEST 2018


El día Tuesday, May 15, 2018 a las 10:44:16AM +0200, Werner Koch escribió:

> On Tue, 15 May 2018 03:31, jerry at seibercom.net said:
> > NCCIC encourages users and administrators to review CERT/CC’s Vulnerability
> > Note VU #122919.
> 
> Doesn't CERT read the paper before produciong a report?  The table of
> vulnerable MUAs is easy enough to read.  To better see what we are
> discussing, here is the table in plain text format with the check marks
> replaced by yes and no.
> 
> --8<---------------cut here---------------start------------->8---
>           TABLE OF VULNERABLE MAIL CLIENTS
> 
> | OS      | Client          | S/MIME | PGP               |
> |         |                 |        | -MDC | +MDC | SE  |
> |---------+-----------------+--------+------+------+-----|
> | Windows | Outlook 2007    | yes    | yes  | yes  | no  |
> |         | Outlook 2010    | yes    | no   | no   | no  |
> |         | Outlook 2013    | user   | no   | no   | no  |
> |         | Outlook 2016    | user   | no   | no   | no  |
> |         | Win. 10 Mail    | yes    | –    | –    | –   |
> |         | Win. Live Mail  | yes    | –    | –    | –   |
> |         | The Bat!        | user   | no   | no   | no  |
> |         | Postbox         | yes    | yes  | yes  | yes |
> |         | eM Client       | yes    | no   | yes  | no  |
> |         | IBM Notes       | yes    | –    | –    | –   |
> | Linux   | Thunderbird     | yes    | yes  | yes  | yes |
> |         | Evolution       | yes    | no   | no   | no  |
> |         | Trojitá         | yes    | no   | no   | no  |
> |         | KMail           | user   | no   | no   | no  |
> |         | Claws           | no     | no   | no   | no  |
> |         | Mutt            | no     | no   | no   | no  |
> | macOS   | Apple Mail      | yes    | yes  | yes  | yes |
> |         | MailMate        | yes    | no   | no   | no  |
> |         | Airmail         | yes    | yes  | yes  | yes |
> | iOS     | Mail App        | yes    | –    | –    | –   |
> |         | Canary Mail     | –      | no   | no   | no  |
> | Android | K-9 Mail        | –      | no   | no   | no  |
> |         | R2Mail2         | yes    | no   | yes  | no  |
> |         | MailDroid       | yes    | no   | yes  | no  |
> |         | Nine            | yes    | –    | –    | –   |
> | Webmail | United Internet | –      | no   | no   | no  |
> |         | Mailbox.org     | –      | no   | no   | no  |
> |         | ProtonMail      | –      | no   | no   | no  |
> |         | Mailfence       | –      | no   | no   | no  |
> |         | GMail           | yes    | –    | –    | –   |
> | Webapp  | Roundcube       | –      | no   | no   | yes |
> |         | Horde IMP       | user   | no   | yes  | yes |
> |         | AfterLogic      | –      | no   | no   | no  |
> |         | Rainloop        | –      | no   | no   | no  |
> |         | Mailpile        | –      | no   | no   | no  |
> 
> 
> -    = Encryption not supported
> no   = Not vulnerable
> yes  = Vulnerable
> user = Vulnerable after user consent
> 
> -MDC = with stripped MDC, +MDC = with wrong MDC, SE = SE packets
> --8<---------------cut here---------------end--------------->8---
> 
> My conclusion is that S/MIME is vulnerable in most clients with the
> exception of The Bat!, Kmail, Claws, Mutt and Horde IMP.  I take the
> requirement for a user consent as non-vulnerable.  Most of the
> non-vulnerable clients use GnuPG as their engine.

Werner, my conclusion in addition is that the table is incorrect.
Most (if not even all) of the MUA which are noted for Linux do run on
nearly any other UNIX flavor, FreeBSD, OpenBSD, ... and mutt in addition
runs  on Canonical Ubuntu for smartphones/tablets and UBports devices.

	matthias

-- 
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  📱 +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub



More information about the Gnupg-users mailing list