Submitted via IRC for Bytram
Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/
(Score: 2) by Grishnakh on Sunday October 15 2017, @04:17PM (2 children)
Why should the vendor be responsible? This vendor has a LONG track record of poor security, AND they have a license agreement which specifically absolves them of any liability. The fault is all the people who keep using this vendor regardless. There are other solutions and other vendors out there, but these stupid institutions won't even look at those. The people at these institutions should be going to jail for picking this vendor. As I said before, the vendor has a license agreement which absolves them of responsibility; if the institutions don't like that, then they shouldn't have selected this vendor.
(Score: 3, Interesting) by BsAtHome on Sunday October 15 2017, @07:30PM (1 child)
Well, the interesting scenario is the following:
Client: we want a piece of software that will utilize secure communications according to spec. XYZ.
Vendor: we have this software available and it adheres to spec XYZ.
Client: can you give any assurance that your software is compliant?
Vendor: our software is fully compliant with the specification.
Now, the vendor sells this piece of software and it actually fails to be compliant. The vendor hides behind the "we are absolved from all by the contract". However, the vendor assured compliance and has therefore been negligent. What weighs more, the contract or the assurance. Please note that the assurance is a verbal contract in its own right (there may be email correspondence too).
This is where it gets complicated.
(Score: 3, Informative) by Grishnakh on Monday October 16 2017, @04:53AM
The vendor hides behind the "we are absolved from all by the contract". However, the vendor assured compliance and has therefore been negligent. What weighs more, the contract or the assurance. Please note that the assurance is a verbal contract in its own right (there may be email correspondence too).
I say the contract weighs more. The "assurance" is just BS from some salesperson. Doesn't everyone with a brain know by now that you can't trust anything salespeople tell you? We have actual contracts for a reason, because some imprecise BS spewed by some salesperson can be argued different ways, whereas contracts are made to be extremely explicit so there's no confusion and no easy way to argue them.