Close
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Video
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Ropemaker Email Exploit Exposes Desktop Clients to Security Risks

    Written by

    Sean Michael Kerner
    Published August 22, 2017
    Share
    Facebook
    Twitter
    Linkedin

      eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

      Mimecast is warning today of a new type of email exploit it has named “Ropemaker” that could potentially be exposing hundreds of millions of desktop email client users to security risks.

      The Ropemaker attack abuses desktop email client functionality that enables email messages to pull CSS (Cascading Style Sheet) information from a remote location. Mimecast’s researchers found that an attacker can inject or replace CSS information with malicious information that could lead to exploitation.

      According to Mimecast’s advisory, the remote-control capabilities in the Ropemaker exploit “… could enable bad actors to direct unwitting users to malicious Web sites using a technique that could bypass both common security controls as well as fool even the most sophisticated users.”

      The name “Ropemaker” is an acronym and stands for Remotely Originated Post-delivery Email Manipulation Attacks Keeping Email Risky. Mimecast’s offices in the UK are also located on a street in London called Ropemaker.

      The Ropemaker attack is not something that Mimecast has detected in the wild as an exploit that is impacting users today. Matthew Gardiner, cyber-security strategist at Mimecast, told eWEEK that Mimecast security researcher Francisco Ribeiro was conducting theoretical research into potential risks and that’s how the Ropemaker attack vector was discovered. Gardiner added that an important approach to staying ahead of attackers is to think how they think and then improve defenses accordingly.

      “This [Ropemaker] has not been seen in the wild by Mimecast to date, although this doesn’t mean for sure it isn’t being used somewhere outside the view of Mimecast,” Gardiner said.

      Mimecast responsibly disclosed the Ropemaker vulnerability to both Apple and Microsoft in late 2016.  Neither Apple nor Microsoft, however, sees the issue as a vulnerability that can or should be patched, which is why Mimecast has decided to publicly release its research to help raise awareness of the potential risks. Gardiner commented that he’s not surprised that Microsoft and Apple don’t consider Ropemaker to be a viable security risk.

      “Ropemaker falls in a gap between all the players,” Gardiner said. “Is it a vulnerability, application abuse and/or a design flaw that was designed for good but has an unintended exploitable weakness?”

      Even if a desktop email client only accepts messages that are encrypted in transit with TLS/HTTPS, there is still a risk of exploitation via Ropemaker. Gardiner explained that Ropemaker has nothing to do with manipulating email content while in transit, which is what TLS/HTTPS helps to guard against. Rather Ropemaker is about the manipulation of email after it has been delivered. The Ropemaker exploit is the manipulation of the display of the email after it has been delivered to the user inbox.

      Existing antivirus and anti-malware technologies might not necessarily detect or block a Ropemaker attack either, according to Mimecast’s research.

      “The remote CSS is remote, as in not on the local machine and thus not visible to any traditional endpoint security system such as AV [antivirus],” Gardiner said. 

      Gardiner added that as an email gateway, Mimecast can strip out the portion of an inbound email that calls out to a remote resource. Apple mail also has a user-configurable setting that does the equivalent from the email client. As it turns out, browser-based email clients, including Google’s Gmail, are not currently at risk from Ropemaker. 

      “We aren’t sure exactly what they have done, other than we believe that the developers of those applications must have recognized the risk and made a filter along the lines of what Mimecast has provided to our customers,” Gardiner said.

      For desktop email client users, there are a few options to help mitigate the risk of a Ropemaker email attack. 

      “An organization could block all HTML emails, which is a bit draconian, or organizations could use browser-based email clients,” Gardiner said. “There aren’t what we consider any perfect defenses against it. We believe an email industry dialogue is needed to address this type of application exploit.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and writer for several leading IT business web sites.

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      Get the Free Newsletter!

      Subscribe to Daily Tech Insider for top news, trends & analysis

      MOST POPULAR ARTICLES

      Artificial Intelligence

      9 Best AI 3D Generators You Need...

      Sam Rinko - June 25, 2024 0
      AI 3D Generators are powerful tools for many different industries. Discover the best AI 3D Generators, and learn which is best for your specific use case.
      Read more
      Cloud

      RingCentral Expands Its Collaboration Platform

      Zeus Kerravala - November 22, 2023 0
      RingCentral adds AI-enabled contact center and hybrid event products to its suite of collaboration services.
      Read more
      Artificial Intelligence

      8 Best AI Data Analytics Software &...

      Aminu Abdullahi - January 18, 2024 0
      Learn the top AI data analytics software to use. Compare AI data analytics solutions & features to make the best choice for your business.
      Read more
      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Video

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2024 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×