Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond’s software that causes encrypted messages to be sent out with their unencrypted versions attached.
You read that right: if you can intercept a network connection transferring an encrypted email, you can just read off the unencrypted copy stapled to it, if the programming blunder is triggered.
PPE使用教程–听力系统防护
The bug is activated when Outlook users use S/MIME to encrypt messages and format their emails as plain text. When sent, the software reports the memo was delivered in an encrypted form, and it appears that way in the Sent folder – but attached to the ciphered text is an easily human-readable cleartext version of the same email. This somewhat derails the use of encryption.

“This has been a rather unusual vulnerability discovery,” the SEC team said in an advisory on Tuesday.
“Unlike other cases we kind of stumbled upon the first indications of this vulnerability by pure coincidence (we did not search for Outlook vulnerabilities). We knew something was seriously wrong when we noticed that the contents of S/MIME encrypted mails were shown in Outlook Web Access.”
There are other side effects, depending on how you have Outlook configured. If you’re using Outlook with Exchange then the unwanted plain text email is only sent one hop to the intended recipient and can’t be forwarded on.
But if you’re running Outlook under SMTP then the unwanted email leaks to not only the recipient but also to all mail servers along the path. Potentially that’s a security nightmare.
Microsoft claimed the exploitation of this bug was “unlikely” in the wild. Some infosec professionals argued it was a little too easy to exploit:
Outlook S/MIME bug is absolutely reproducible, I just did it. Does not need an attacker. Microsoft have classified it wrong. @msftsecurity
网银大盗不断变种换代、诡计百出,利用多种途径横行网上、肆虐广大网民;更有甚者,仅仅接收一张图片,就能让你财物两空。
— Kevin Beaumont 🙃 (@GossiTheDog) October 10, 2017
SEC Consult said it noticed the issue in May, reported it Microsoft, and hadn’t heard back from the Windows giant as to how long this has been a problem. Redmond fixed the issue in October’s Patch Tuesday bundle, so apply the security update as soon as possible. And also consider that any plain-text-formatted S/MIME messages sent from Outlook may have been read over the wire by miscreants. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
上网闲逛对于恢复活力起到了重要的作用。您相信么?过份严格的上网监管会引发员工的不满,进而降低工作效率,与实施控管系统的初衷背道而驰,劳逸结合,需要找到好的平衡点。

猜您喜欢

广东安防协会组织编制两项标准通过审核批准
保密讲堂第一弹:准确定密并正确标识国家秘密
网络安全法网络宣传片 002 国家网络安全的现状与重要性概述
95后准空姐与70年代空姐拼图展现民航事业变迁
LIGUEDESOFFICIERSDETATCIVIL P4YM
网络信息安全小调