Submitted via IRC for Bytram
Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/
(Score: 1) by khallow on Sunday October 15 2017, @03:10PM
Responsible? Everyone's ass is covered. That's good enough.
Now that the cat is out of the bad, they will have to do something. They'll probably start with a two stage process - don't use S/MIME, then don't send encrypted stuff by email when that doesn't work. Meanwhile, the organization will have ISO 9001 processes for determining how to develop processes for responding to this problem. That will keep them busy until MS comes out with a fix in a few days or weeks. At that point, things will revert to business as usual until the next security flaw is found.