Submitted via IRC for Bytram
Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.
"This has been a rather unusual vulnerability discovery," the SEC team said in an advisory on Tuesday.
Source: https://www.theregister.co.uk/2017/10/11/outlook_smime_bug/
(Score: 2, Funny) by Anonymous Coward on Sunday October 15 2017, @07:33AM (8 children)
I don't even have to go through a lengthy decryption process to read my email. What is so bad about this?
(Score: 2) by maxwell demon on Sunday October 15 2017, @08:21AM (2 children)
It's bad because the sender is tricked into wasting processor cycles generating an encrypted version, when he could have just sent the unencrypted mail as is. ;-)
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @09:49AM
That's good for the economy. Win-win.
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @01:25PM
I'm sure those cycles are just used for something benign like facial recognition or dark web searches for missing children, why do you hate America?!
(Score: 2) by MostCynical on Sunday October 15 2017, @11:21AM (1 child)
Better, you get to check your decryption worked properly!
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @04:03PM
Real terrorists don't use Microsoft Outlook.
(Score: 5, Interesting) by kurenai.tsubasa on Sunday October 15 2017, @04:13PM (1 child)
lol! Bit more seriously, this comment reminded me of KMail from KDE 3.5, though. Crypto just worked, including the conundrum of managing keys on receipt of a mail with a signature from an unknown key. It was beautiful.
I've always wondered if Redmond is under orders from some TLA to make crypto suck. It has native support for S/MIME, but only if you add your certificate to the Windows certificate store. Even then, you pretty much need a cert signed by the Guardians of SSL (CAs). I had to add my personal CA to Windows before it would use my cert. Also forget about trying to get it to read a good old PEM file. What is it? PKCS#7 it wants? Or something. GPG4Win has an Outlook plugin last I checked (maybe 7–8 years ago?) but it completely blows.
In either case, it breaks the UI. You have to double-click on encrypted mail to open it in its own window. It won't show in the regular pane like every other mail. Screw user-friendliness I guess. (Haha, even the malfeature in TFS needs clicking!)
Oh well, it's turned into big business for cloudy mail providers for hospitals. Thanks to Outlook completely sucking at crypto, hospitals have been going with cloud-based mail vendors that require recipients create a login for each vendor.
Just imagine all the economic opportunities that would have been lost were crypto quick and easy like KMail!
(Score: 1) by Chromium_One on Monday October 16 2017, @02:27AM
It's both better and worse than all that: Microsoft exists primarily for the sake of generating work for IT/tech workers.
Once you realize this, almost everything about them suddenly makes sense.
Any profit they make is incidental, anything which pushes forward the state of the art is entirely accidental, not planned. That thing where historically the company has acted like a complete dick about so much of everything ... it's frustration from holding themselves back from trying to do any better!
When you live in a sick society, everything you do is wrong.
(Score: 2) by DECbot on Sunday October 15 2017, @04:42PM
This is where you're wrong and ignorant. It's been sufficiently secured by passing it through the rot-13 algorithm 4096 times. Don't assume no processing is going on to decrypt plain clear text message.
cats~$ sudo chown -R us /home/base
(Score: 5, Funny) by Anonymous Coward on Sunday October 15 2017, @07:43AM (4 children)
I think someone at Microsoft took the specifications to make sure the NSA can read all the emails, and generalized it somewhat too much.
(Score: 1, Informative) by Anonymous Coward on Sunday October 15 2017, @08:14AM
Or they disapproved and had a sense of humor. This and the management engine backdoor are priceless 'mistakes', funny guys. Given whats possible (see Obfuscated Perl Contest), these are just in plain sight.
(Score: 2) by choose another one on Sunday October 15 2017, @04:53PM (2 children)
Unless I have misread it, the NSA will only be able to read the emails of the outlook users who configure plain text format for emails, which is like, nobody.
Outlook defaults to html mail, users expect it to work that way and in an outlook environment sending plain text gets you "wtf is that" comments.
Microsoft's assessment is that exploitation is "unlikely" - I'd say they're right. Still doesn't excuse the bug mind, but probably explains how it got through testing - plain text is basically a never-used mode in outlook. You and I, and at a guess the majority of SN users, might think plain-text is the right and proper format for emails, but the average outlook user will not.
(Score: 0) by Anonymous Coward on Monday October 16 2017, @09:15AM (1 child)
Outlook's default format for replying to emails in plain text is plain text.
(Score: 0) by Anonymous Coward on Monday October 16 2017, @12:17PM
But only evil hackers will sent plain text messages, and communication with evil hackers does not deserve protection. ;-)
(Score: 5, Interesting) by BsAtHome on Sunday October 15 2017, @09:16AM (6 children)
So, there are some institutions who are required by law to keep communications secure (at least in some EU countries). All those institutions using this software are breaking the law. Who then will be responsible?
The vendor will undoubtedly hide itself behind the EULA shield. The institutions will point at the vendor. Who is responsible and who will come up for the damage(s) that may be the result of such breach? This might provide an opportunity to pierce the EULA shield because the ramifications of this "flaw" are huge. It would be about time to have vendor responsibility in the software world and get this settled.
(Score: 1) by khallow on Sunday October 15 2017, @03:10PM
Responsible? Everyone's ass is covered. That's good enough.
Now that the cat is out of the bad, they will have to do something. They'll probably start with a two stage process - don't use S/MIME, then don't send encrypted stuff by email when that doesn't work. Meanwhile, the organization will have ISO 9001 processes for determining how to develop processes for responding to this problem. That will keep them busy until MS comes out with a fix in a few days or weeks. At that point, things will revert to business as usual until the next security flaw is found.
(Score: 2, Informative) by Anonymous Coward on Sunday October 15 2017, @04:02PM
In that case the problem is different. The communication layer is then responsible for keeping communication secure. Client side crypto is outside the scope for these situations.
Basically, in situations where institutions are required to keep communication secure, then the email from their side cannot be be delivered to recipients that are either not on their whitelist or cannot be reached securely. You know, SMTP level crypto mandated, and not just opportunistic SSL.
(Score: 2) by Grishnakh on Sunday October 15 2017, @04:17PM (2 children)
Why should the vendor be responsible? This vendor has a LONG track record of poor security, AND they have a license agreement which specifically absolves them of any liability. The fault is all the people who keep using this vendor regardless. There are other solutions and other vendors out there, but these stupid institutions won't even look at those. The people at these institutions should be going to jail for picking this vendor. As I said before, the vendor has a license agreement which absolves them of responsibility; if the institutions don't like that, then they shouldn't have selected this vendor.
(Score: 3, Interesting) by BsAtHome on Sunday October 15 2017, @07:30PM (1 child)
Well, the interesting scenario is the following:
Client: we want a piece of software that will utilize secure communications according to spec. XYZ.
Vendor: we have this software available and it adheres to spec XYZ.
Client: can you give any assurance that your software is compliant?
Vendor: our software is fully compliant with the specification.
Now, the vendor sells this piece of software and it actually fails to be compliant. The vendor hides behind the "we are absolved from all by the contract". However, the vendor assured compliance and has therefore been negligent. What weighs more, the contract or the assurance. Please note that the assurance is a verbal contract in its own right (there may be email correspondence too).
This is where it gets complicated.
(Score: 3, Informative) by Grishnakh on Monday October 16 2017, @04:53AM
The vendor hides behind the "we are absolved from all by the contract". However, the vendor assured compliance and has therefore been negligent. What weighs more, the contract or the assurance. Please note that the assurance is a verbal contract in its own right (there may be email correspondence too).
I say the contract weighs more. The "assurance" is just BS from some salesperson. Doesn't everyone with a brain know by now that you can't trust anything salespeople tell you? We have actual contracts for a reason, because some imprecise BS spewed by some salesperson can be argued different ways, whereas contracts are made to be extremely explicit so there's no confusion and no easy way to argue them.
(Score: 2) by PiMuNu on Monday October 16 2017, @03:53AM
I think that the organisation involved would have to be demonstrated to have acted negligently. Probably both MS and whatever organisation using outfit will be able to demonstrate due diligence, so it is no big deal.
(Score: 0) by Anonymous Coward on Sunday October 15 2017, @10:21AM (1 child)
Microsoft has a great test suite to catch bugs!
I trust their software 1,000%!!!!! "Good enough" software, indeed. Don't let developer "goldplate" their software. These are the learnings I take from Microsoft Press.
(Score: 2) by Aiwendil on Sunday October 15 2017, @07:36PM
Seems about right, then again, it is discouraged to use commas or points for digit grouping [nist.gov] (pdf, see section 10.5.3)
(Score: 5, Interesting) by Justin Case on Sunday October 15 2017, @01:16PM (6 children)
This is the kind of crap you get when your entire design strategy is keeping the users ignorant by hiding what is actually happening.
Microsoft pioneered this concept, but most other software shops have copied it.
Users should be insulted. "We think you are too stupid / frightened / lazy to see what's under the hood, so we'll protect your pwetty widdle sensitive eyes by hiding it."
Another example: browsers hiding the "http" at the beginning of URLs. Stop hiding stuff! If you let people see what's going on, some of them will actually learn something!
Oh right. People with clue don't need to pay $89.95 for a "package" to do something the native CLI can already do, effortlessly.
Never mind. Go back to tricking your customers. They don't care. So long as it looks good. And hey, the icon looks like this is an encrypted email, so it's encrypted, right?
(Score: 2) by LoRdTAW on Sunday October 15 2017, @05:54PM (4 children)
You underestimate the ignorance of users. Most PC users don't even remotely know how computers work at the most basic of levels. Just ask them: "How much memory does your PC have?" Typical answer: "are those mega bytes? Or gigahz? is that the hard drive or the dvd? I dunno" That's your typical PC user. Dumb as bricks. But that's okay because not everyone has to know this shit. They just want to click stuff and get a desired result. That's the job of the developers. And they haven't been doing a good job. At all.
Mobile is another great example of dumbing the computer down for the user. Hiding stuff is their way of herding the dummies into happy sunshine computer land where everything is so easy to use, so long as you spend another $1.99 here and there.
(Score: 4, Insightful) by Arik on Sunday October 15 2017, @06:19PM (2 children)
Developers have done an absolutely horrible job of it consistently for decades. It's insanity to think that's somehow going to change itself.
A general purpose computer is a very powerful and complex tool. It's NOT ok to put a powerful and complex tool in the hands of someone who is 'dumb as bricks' and determined to stay that way. That's a powerful stupid idea, in fact, and it always was.
People like that should be using thin clients that can't be screwed up so easily. The web, HTML, provided the basis for making exactly that, which is why interested parties worked so hard and so early to shit it up with scripts and presentation-layer tags and plugins and now HTML5, to prevent that from happening.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by LoRdTAW on Sunday October 15 2017, @06:30PM (1 child)
I can agree with you on the first half, "It's NOT ok to put a powerful and complex tool in the hands of someone who is 'dumb as bricks'".
Here's the problem part: "and determined to stay that way." They don't stay ignorant on purpose. I honestly think some people just don't have the wit to operate or understand these things. I can't blame them for being cast in front of a PC tasked with just using a few applications to do their job. You cant expect a secretary to know how to understand or fix every problem they have.
(Score: 3, Interesting) by Arik on Sunday October 15 2017, @06:49PM
I believe you are wrong, in many cases they do. https://en.wikipedia.org/wiki/Rational_ignorance
"I honestly think some people just don't have the wit to operate or understand these things. "
That's true too, but that is a different set of people. At least ten percent of the population is probably mentally incapable of the task even if they're willing and conscientious, and the lack of a sane system actually hurts them the worst of all.
"You cant expect a secretary to know how to understand or fix every problem they have."
In my experience the secretary is often much better with computers than the boss, or anyone else in the office, ymmv I suppose ;)
If laughter is the best medicine, who are the best doctors?
(Score: 3, Informative) by maxwell demon on Sunday October 15 2017, @06:36PM
Ignorant != dumb.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 3, Insightful) by darkfeline on Sunday October 15 2017, @09:25PM
This is why I prefer to deal with email plain, with the headers and mime parts together in plaintext.
Once you do, it becomes painfully obvious that email should instead be called epostcard, and even normal people begin to understand why PGP exists.
Join the SDF Public Access UNIX System today!
(Score: 5, Insightful) by LoRdTAW on Sunday October 15 2017, @05:46PM (2 children)
Dealing with outlook at work is one of the pleasantries I get to deal with. Then toss in office 365 subscriptions and dimwitted management who insist that those sales force plugins are totally necessary. Never mind those fucking plugins are responsible for 99% of outlook issues. The remaining issues are bad stored credentials that need to be purged then have the user sign back in.
Am I remotely surprised Outlook is a disasterous cancerous growth in the computer industry? Nope. And people keep eating that shit up.
(Score: 3, Informative) by nobu_the_bard on Monday October 16 2017, @01:14PM (1 child)
The number of times I've had to manually delete passwords out of the registry and change the permissions for the keys because Outlook sometimes messes it up...
(Score: 2) by LoRdTAW on Tuesday October 17 2017, @12:03AM
We run O365 which for a small business is perfect when all they want to be is an MS shop. The only thing that sucks is O365 appears to be more stable when running 2016 on windows 10. 2010/2016 on Win 7 always runs into that damn sign in window issue and unending plugin issues. Just last week I had my more well seasoned friend (IT is a secondary thing I handle nowadays) rebuild an entire profile because a plugin nuked the pst or something. And jesus, PST's, I still have nightmares rebuilding those damn things in the early/mid 00's. Did IT for a bit and promptly bowed the fuck out of that profession.
(Score: 0) by Anonymous Coward on Monday October 16 2017, @02:38AM
Outlook is from Microsoft. Who here is surprised that Microsoft produces insecure crap?