08.11.2017

Outlook Might Not Have Encrypted Your Emails If You Used S/MIME Encryption

Outlook Might Not Have Encrypted Your Emails If You Used S/MIME Encryption

People that use Microsoft Outlook to send encrypted emails S/MIME standard might have had the content leaked by an Outlook bug. The issue sent an encrypted and unencrypted form. An attacker might be able to read the contents of the email.

The bug happens in the scenarios bellow:

  • Only emails encrypted with the S/MIME public key encryption standard are affected, but not PGP/GPG.
  • Leak of encrypted emails occurs only for emails "sent" using Outlook, not received in Outlook.
  • The leak occurs only for Outlook emails sent in plaintext. Default Outlook setting is to use HTML formatting.
  • Leaks also happen when users try to encrypt responses to plaintext emails. Outlook automatically changes the default HTML formatting to plaintext when responding to such emails.
  • The leak occurs all the time if the user utilizes Outlook with an SMTP server.
  • The leak can occur when only one server hop for Outlook clients using Microsoft Exchange infrastructure. This limits the leak of encrypted emails inside a company's network. TLS must also be disabled for email communications.
  • Leak also occurs in the recipient's email client. Because email clients show email message previews, an attacker can view the content of the encrypted message even if he doesn't have access to the target's private encryption key. For example, an attacker who gained access to a victim's email password but not his S/MIME private key can read some of the encrypted messages the victim received, sent by users running leaky Outlook installations.

 Companies use encryption to safeguard sensitive information. Most bugs and vulnerabilities reports are handled in an encrypted format. People had contacted Microsoft about the issue and Microsoft didn`t mention what versions had the issue or version that are from May 2017.

How Frama UK can help?

Frama RMail a solution that makes using encryption easy for both sender and recipient, navigating many of the issue outlined above.

The sender simply uses a two-click system to send the encrypted email. The recipient does not need to install any software, open an account or log on to any portal to access the secure email message. The recipient opens the email in exactly the same way as any other email!

To ensure that the reply from the recipient is also encrypted, RMail provides an easy-to-use “reply encrypted” solution within every message received.

Due to this ease-of-use, RMail removes the perceived barrier of entry to encryption and provides a simple solution to a previously complicated problem ensuring security and compliance when sending sensitive and/or financial data via email.

www.bleepingcomputer.com/news/security/outlook-might-not-have-encrypted-your-emails-if-you-used-s-mime-encryption/

Contact us