Mimecast is warning today of a new type of email exploit it has named “Ropemaker” that could potentially be exposing hundreds of millions of desktop email client users to security risks.
The Ropemaker attack abuses desktop email client functionality that enables email messages to pull CSS (Cascading Style Sheet) information from a remote location. Mimecast’s researchers found that an attacker can inject or replace CSS information with malicious information that could lead to exploitation.
According to Mimecast’s advisory, the remote-control capabilities in the Ropemaker exploit “… could enable bad actors to direct unwitting users to malicious Web sites using a technique that could bypass both common security controls as well as fool even the most sophisticated users.”
The name “Ropemaker” is an acronym and stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky. Mimecast’s offices in the UK are also located on a street in London called Ropemaker.
The Ropemaker attack is not something that Mimecast has detected in the wild as an exploit that is impacting users today. Matthew Gardiner, cyber-security strategist at Mimecast, told eWEEK that Mimecast security researcher Francisco Ribeiro was conducting theoretical research into potential risks and that’s how the Ropemaker attack vector was discovered. Gardiner added that an important approach to staying ahead of attackers is to think how they think and then improve defenses accordingly.
“This [Ropemaker] has not been seen in the wild by Mimecast to date, although this doesn’t mean for sure it isn’t being used somewhere outside the view of Mimecast,” Gardiner said.
Mimecast responsibly disclosed the Ropemaker vulnerability to both Apple and Microsoft in late 2016. Neither Apple nor Microsoft, however, sees the issue as a vulnerability that can or should be patched, which is why Mimecast has decided to publicly release its research to help raise awareness of the potential risks. Gardiner commented that he’s not surprised that Microsoft and Apple don’t consider Ropemaker to be a viable security risk.
“Ropemaker falls in a gap between all the players,” Gardiner said. “Is it a vulnerability, application abuse and/or a design flaw that was designed for good but has an unintended exploitable weakness?”
Even if a desktop email client only accepts messages that are encrypted in transit with TLS/HTTPS, there is still a risk of exploitation via Ropemaker. Gardiner explained that Ropemaker has nothing to do with manipulating email content while in transit, which is what TLS/HTTPS helps to guard against. Rather Ropemaker is about the manipulation of email after it has been delivered. The Ropemaker exploit is the manipulation of the display of the email after it has been delivered to the user inbox.
Existing antivirus and anti-malware technologies might not necessarily detect or block a Ropemaker attack either, according to Mimecast’s research.
“The remote CSS is remote, as in not on the local machine and thus not visible to any traditional endpoint security system such as AV [antivirus],” Gardiner said.
Gardiner added that as an email gateway, Mimecast can strip out the portion of an inbound email that calls out to a remote resource. Apple mail also has a user-configurable setting that does the equivalent from the email client. As it turns out, browser-based email clients, including Google’s Gmail, are not currently at risk from Ropemaker.
“We aren’t sure exactly what they have done, other than we believe that the developers of those applications must have recognized the risk and made a filter along the lines of what Mimecast has provided to our customers,” Gardiner said.
For desktop email client users, there are a few options to help mitigate the risk of a Ropemaker email attack.
“An organization could block all HTML emails, which is a bit draconian, or organizations could use browser-based email clients,” Gardiner said. “There aren’t what we consider any perfect defenses against it. We believe an email industry dialogue is needed to address this type of application exploit.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.