Shockingly Stupid Bug discovered in Microsoft Outlook

Researchers at leading cyber security consultancy, SEC Consult, have exposed a bug in Microsoft Outlook, that causes encrypted emails to be sent with their unencrypted versions attached.

Do not rub your eyes in disbelief; it is unbelievably true. If anyone intercepts your encrypted email in transit, he or she can gain access to its contents by simply opening the attachment in the email. That is, only if the bug has manifested. The bug adds an unencrypted version of the secure contents to the email, as an attachment, without your knowledge.
This dumb bug is triggered when an Outlook user format’s an email as plain text but encrypt’s it with S/MIME, a widely accepted protocol for sending digitally signed and encrypted messages. When the email is sent, Outlook reports that it was delivered in an encrypted form, appropriately listing it in the Sent folder – but in reality it has attached a clear-text, human readable version of the encrypted contents to the same email. Making encryption irrelevant.
Microsoft has since released a fix in October’s Patch Tuesday bundle.
Read more.

Comments are closed.