Stories
Slash Boxes
Comments

SoylentNews is people

Outlook Staples Your Encrypted Emails to, Er, Plaintext Copies When Sending Messages

posted by Fnord666 on Sunday October 15 2017, @07:22AM   Printer-friendly
from the so-you-can-read-it-easier dept.

MrPlow writes:

Submitted via IRC for Bytram

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.

You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.

The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.

"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.

Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/

Original Submission

 
This discussion has been archived. No new comments can be posted.
Outlook Staples Your Encrypted Emails to, Er, Plaintext Copies When Sending Messages | Log In/Create an Account | Top | 34 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 5, Funny) by Anonymous Coward on Sunday October 15 2017, @07:43AM (4 children)

    by Anonymous Coward on Sunday October 15 2017, @07:43AM (#582573)

    I think someone at Microsoft took the specifications to make sure the NSA can read all the emails, and generalized it somewhat too much.

    Starting Score:    0  points
    Moderation   +5  
       Insightful=1, Informative=1, Funny=3, Total=5
    Extra 'Funny' Modifier   0  
    Total Score:   5  

  • (Score: 1, Informative) by Anonymous Coward on Sunday October 15 2017, @08:14AM

    by Anonymous Coward on Sunday October 15 2017, @08:14AM (#582575)

    Or they disapproved and had a sense of humor. This and the management engine backdoor are priceless 'mistakes', funny guys. Given whats possible (see Obfuscated Perl Contest), these are just in plain sight.

  • (Score: 2) by choose another one on Sunday October 15 2017, @04:53PM (2 children)

    by choose another one (515) Subscriber Badge on Sunday October 15 2017, @04:53PM (#582663)

    Unless I have misread it, the NSA will only be able to read the emails of the outlook users who configure plain text format for emails, which is like, nobody.

    Outlook defaults to html mail, users expect it to work that way and in an outlook environment sending plain text gets you "wtf is that" comments.

    Microsoft's assessment is that exploitation is "unlikely" - I'd say they're right. Still doesn't excuse the bug mind, but probably explains how it got through testing - plain text is basically a never-used mode in outlook. You and I, and at a guess the majority of SN users, might think plain-text is the right and proper format for emails, but the average outlook user will not.

    • (Score: 0) by Anonymous Coward on Monday October 16 2017, @09:15AM (1 child)

      by Anonymous Coward on Monday October 16 2017, @09:15AM (#582932)

      Outlook's default format for replying to emails in plain text is plain text.

      • (Score: 0) by Anonymous Coward on Monday October 16 2017, @12:17PM

        by Anonymous Coward on Monday October 16 2017, @12:17PM (#582965)

        But only evil hackers will sent plain text messages, and communication with evil hackers does not deserve protection. ;-)