(Image: file photo)A bug in Microsoft Outlook meant that sensitive emails supposed to be scrambled with S/MIME encryption before they were sent may have also been mistakenly sent in unencrypted plaintext.
The bug let plaintext-formatted encrypted mails be sent in both encrypted and unencrypted forms, according to a blog post describing the issue.
Those unencrypted messages could have exposed secret or sensitive communications for months, the researchers said.
S/MIME is an end-to-end email encryption standard that allows email clients to scramble the contents of an email before it’s sent over the internet using a personal certificate. Encrypting emails doesn’t just protect the contents, but ensures the authenticity of the message’s contents.
The bug allowed encrypted emails sent through Outlook to be read without the private certificates of the recipient, which “results in total loss of security properties provided by S/MIME encryption,” the blog post read.(Image: SEC Consult)
Users would have been unaware of the security lapse, because the message would appear as encrypted in Outlook’s “sent items” folder.
The researchers said that an attacker could intercept and read emails if they have “access to the network traffic at any point along the mails path through the network and no transport level encryption is used,” or if the attacker has access to either the sender or recipient’s mailboxes.
But incoming messages encrypted using S/MIME were not affected, said the researchers.
Security researcher Kevin Beaumont independently verified the bug.
Microsoft fixed the bug on Tuesday as part of its monthly release of security fixes, which rated the bug as “important.”
Updates are available through the usual Windows Update and Office Update channels.
Contact me securely
Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.
Leaked TSA documents reveal New York airport’s wave of security lapses
US government pushed tech firms to hand over source code
At the US border: Discriminated, detained, searched, interrogated
Millions of Verizon customer records exposed in security lapse
Meet the shadowy tech brokers that deliver your data to the NSA
Inside the global terror watchlist that secretly shadows millions
FCC chairman voted to sell your browsing history — so we asked to see his
With a single wiretap order, US authorities listened in on 3.3 million phone calls
198 million Americans hit by ‘largest ever’ voter records leak
Britain has passed the ‘most extreme surveillance law ever passed in a democracy’
Microsoft says ‘no known ransomware’ runs on Windows 10 S — so we tried to hack it
Leaked document reveals UK plans for wider internet surveillance