Thanks, Bill for sharing this.
Of particular interest, I noticed this in the FAQ at the second link:
QuoteCan you read my emails? No. The EFAIL attacks require the attacker to have access to your S/MIME or PGP encrypted emails. You are thus only affected if an attacker already has access to your emails.
They also suggest the best way to avoid the potential attack vector is to not decrypt PGP-encrypted emails in the client. Instead, copy the ciphertext to a separate PGP program and decrypt it there, but the other short term mitigation is what you suggest, turning off HTML.
Also note this answer to a question where some email clients are mentioned.
QuoteIs my email client affected?
Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.
Also interesting that GnuPG in the BBC article says that the EFF has overblown the issue, that's it's not an issue with S/MIME or PGP but the way various clients handle PGP decryption errors incorrectly. Of course this conflicts with what the efail team is reporting. We'll probably need more time to get the full story. It's not unheard of for firms to exaggerate vulnerabilities to promote their abilities.