[virusduck]

I dunno, a client issue like this seems pretty terrible to me since there is no obvious (to me) way to fix it. If I am encrypting a message, I have no control over what client decrypts it (and whether that client unwittingly passes the information along) without maybe changing the standard completely.

The thing is, If I am reading correctly, it seems like this kind of vulnerability seems totally predictable.

[simias]

I agree, after getting the details it's fair to say that while some MUAs should fix their handling of encrypted emails PGP implementations and the S/MIME standard shares a part of the blame by not detecting and preventing the decoding of tampered documents. Still, the way the problem was disclosed is rather misleading and confusing.