Submitted via IRC for Bytram
Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/
(Score: 5, Funny) by Anonymous Coward on Sunday October 15 2017, @07:43AM (4 children)
I think someone at Microsoft took the specifications to make sure the NSA can read all the emails, and generalized it somewhat too much.
(Score: 1, Informative) by Anonymous Coward on Sunday October 15 2017, @08:14AM
Or they disapproved and had a sense of humor. This and the management engine backdoor are priceless 'mistakes', funny guys. Given whats possible (see Obfuscated Perl Contest), these are just in plain sight.
(Score: 2) by choose another one on Sunday October 15 2017, @04:53PM (2 children)
Unless I have misread it, the NSA will only be able to read the emails of the outlook users who configure plain text format for emails, which is like, nobody.
Outlook defaults to html mail, users expect it to work that way and in an outlook environment sending plain text gets you "wtf is that" comments.
Microsoft's assessment is that exploitation is "unlikely" - I'd say they're right. Still doesn't excuse the bug mind, but probably explains how it got through testing - plain text is basically a never-used mode in outlook. You and I, and at a guess the majority of SN users, might think plain-text is the right and proper format for emails, but the average outlook user will not.
(Score: 0) by Anonymous Coward on Monday October 16 2017, @09:15AM (1 child)
Outlook's default format for replying to emails in plain text is plain text.
(Score: 0) by Anonymous Coward on Monday October 16 2017, @12:17PM
But only evil hackers will sent plain text messages, and communication with evil hackers does not deserve protection. ;-)