Vulnerabilities of E-mail Clients

E-mail represents a crucial part of both corporate and private communication. Thanks to its popularity there is a plethora of different e-mail clients with advanced features that enhance the simple and originally pure text format of e-mail by features like sending of attachments (MIME), encrypted contents (S-MIME, PGP) or stylized HTML text with images.

Nevertheless, more functionalities of e-mail clients often mean more security vulnerabilities that can be interesting for attackers: software bugs, incompliance with standards or bad configuration of security mechanisms. The potential attacker can exploit these vulnerabilities in many different ways.

Tracking of e-mail recipients via external links

Images displayed in e-mails are usually attached directly to the e-mail. However, e-mails can occasionally contain just a link to a web server located in the Internet, from which these images are downloaded by your e-mail client at the moment the e-mail is opened.

For a potential attacker, who created such an e-mail, it is sufficient to wait and track when your computer connects to download the images. The attacker immediately detects not only the time when the e-mail has been opened, your IP address that can be used to track your location, but also information whether you have opened it on a mobile, tablet or personal computer.

If you think you can avoid such tracking by simple deletion of the e-mail, be careful! The external link is visited at the moment you click on the message in your e-mail client, the sender’s address can easily be forged and messages can even contain images you might not notice – e.g. it can be a dot with the size 1×1 pixel. In fact, this technique is often utilized by a large number of e-mail campaigns that are usually delivered into your e-mail inbox.

Yet, the protection is simple: disable automatic download of images and remote content from external links. If a message requires external images to load, do not enable their loading until you have a good reason for it. Remember that by such clicking you reveal some private information for each image displayed.

Information how to disable automatic download of images and remote content in e-mail clients can be found at the following links:

Moreover, if you have a firewall installed, we recommend to create a rule to block connections from e-mail clients to all addresses in the Internet, with exception of addresses of your post servers.

Access to encrypted data

In case you use e-mail to send and receive sensitive information, there is a good chance that for encryption of sensitive content you use PGP or S/MIME. A recently published vulnerability is based on a fact, that post client decrypts some parts of e-mail before displaying the whole message content. Researchers found a method to modify the e-mail content in a way that decrypted parts are sent to the attacker immediately the e-mail has been displayed. The attacker who can send you a forged e-mail can thus gain an access to contents of your current and past communication – contents you consider private.

Protection against this vulnerability is based on update of your post client and blocking of external links as described in the previous part about tracking of e-mail recipients.

Installation of malware through software flaws

Software flaws can also cause serious security problems. A certain amount of bugs and flaws is present inside every more complex software. E.g. among security vulnerabilities in Microsoft Outlook published in 2018 we can find multiple vulnerabilities that a remote attacker can exploit to run malware on your computer, gain access to your files, make screenshots of your screen, capture passwords and many similar malicious operations.

How to protect yourself? In general, as long as vulnerabilities are not discovered they cannot be exploited. However, if a researcher discovers a vulnerability and does not disclose it publicly, protection is practically impossible – this kind of vulnerability is called “zero-day” vulnerability. The set of potential attackers able to exploit these vulnerabilities is quite small.

As soon as vulnerabilities are discovered by software developers, a security update is released and the race begins. While you are installing the security update or patches, other people may be analyzing it, comparing it with the previous software versions and looking for the way how to exploit the vulnerability in older and unpatched versions. Exploits of older vulnerabilities are often available in public repositories on the Internet. Shortly after the release of security update, every computer and device without this update should be considered easily vulnerable and every e-mail an attempt to exploit the vulnerability. Protection is therefore based on regular installation of updates and security patches as soon as they are released by the developers.

Summary of recommendations

  • disable automatic download of images and remote content from external links
  • do not allow opening of external links, even in case the e-mail asks for it
  • use a firewall that can block outgoing connections based on applications
  • update your e-mail client and operating system

« Späť na zoznam