Microsoft Outlook may have been sending your emails without encryption for months, according to an advisory published by the SEC Consult earlier this week. The bug relates to the handling of S/MIME encryption by Outlook when sending emails.
S/MIME is a public key encryption standard that allows the contents of an email to be protected even when the channel between the sender and the recipient may have been compromised. It does so by scrambling the body of the email using the recipient's public key who can then decrypt the message using their private key.
Due to this bug, however, a seemingly encrypted mail would contain both an encrypted copy secured through the use of S/MIME and an unencrypted copy, all rolled together. The result of this is, of course, that attackers with access to either party's mailbox or unencrypted server-to-server or client-to-server connections could easily read it in plaintext form by referring to the unencrypted copy contained in the bundle. This "results in total loss of security properties provided by S/MIME encryption", according to the advisory.
Users would also remain unaware of the problem, with the message being displayed as encrypted in the 'Sent Items' folder in the Outlook application.
Microsoft has fixed the problem in the Patch Tuesday fixes sent out this October but, according to SEC Consult, the company had informed the software giant of the bug's existence back in May, meaning your seemingly S/MIME encrypted emails could potentially have been read by intercepting parties without much issue in those months. Microsoft did not also communicate to the cyber security firm how long the problem had existed, meaning encrypted emails from an even earlier period could have been affected.
Source: SEC Consult via ZDNet, The Register
3 Comments - Add comment