Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Bug Caused Microsoft Outlook to Send Emails in Cleartext

A vulnerability that that was recently addressed by Microsoft as part of the October 2017 Patch Tuesday could result in Outlook sending emails in cleartext when S/MIME encryption was supposed to be used.

A vulnerability that that was recently addressed by Microsoft as part of the October 2017 Patch Tuesday could result in Outlook sending emails in cleartext when S/MIME encryption was supposed to be used.

Discovered by SEC Consult researchers, the bug impacted Outlook’s S/MIME functionality and was supposedly introduced about six months ago. Both Microsoft Outlook 2016 32-bit and 64-bit editions are affected.

The S/MIME standard is used for end-to-end encryption and for the signing of emails, and is supported by most popular mail clients, including Microsoft Outlook, Mozilla Thunderbird, Apple Mail, and mail clients for mobile devices. However, mail clients need to be configured to use S/MIME through installing a personal certificate and exchanging certificates with communication partners.

Even the United States Department of Defense uses S/MIME, but there isn’t much information available on other organizations that use the standard, SEC Consult says.

Tracked as CVE-2017-11776, the Outlook flaw resulted in emails not being encrypted as expected when S/MIME encryption was in use. Because of this issue, the contents of S/MIME encrypted mails would show in Outlook Web Access (OWA), which led to the vulnerability’s discovery, the researchers say.

No action is required from an attacker looking to trigger the vulnerability.

“There is a bug in Outlook that causes S/MIME encrypted mails to be send in encrypted and unencrypted form (within one single mail) to your mail server (and the recipient’s mail server and client and any intermediate mail servers). The impact is that a supposedly S/MIME encrypted mail can be read without the private keys of the recipient. This results in total loss of security properties provided by S/MIME encryption,” SEC Consult explains.

The vulnerability is difficult to spot by the sender, as there is no indication of it in the “Sent Items” folder. In fact, Outlook would display the message as if it was properly encrypted, the researchers explain.

Because the vulnerability impacts the mail body S/MIME encryption and not transport level security (TLS), only emails sent from Outlook are impacted. The issue has no effect on incoming S/MIME encrypted mails, where Outlook acts as the recipient.

The security researchers also explain that only messages sent in “Plain Text” format are affected by the vulnerability. What should be noted, however, is that Outlook formats mails in “Plain Text” by default when replying to “Plain Text” formatted emails.

According to SEC Consult, most security conscious organizations only use “Plain Text” formatted emails, and even DoD recommends the exclusive use of “Plain Text” formatted emails (PDF).

Depending on the used transport protocol, the scope of the vulnerability differs. In Outlook with Exchange, plaintext leaks one hop only if the recipient and sender are in the same domain. In Outlook using SMTP, the plaintext leaks to all mail servers along the path and the recipient.

The vulnerability was addressed in both Microsoft Outlook 2016 editions on October 10, 2017, as part of Microsoft’s regular set of monthly patches.

“The much harder problem is to determine the actual impact and remediate the legacy of affected mails containing confidential data,” SEC Consult notes.

Related: Microsoft Patches Office Zero-Day Used to Deliver Malware

Related: Hackers Can Execute Code on Windows via DNS Responses

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cybersecurity Funding

UK-based email security and brand protection solutions provider Red Sift on Thursday announced raising $54 million in a Series B funding round that brings...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Software maker Adobe has rolled out its first batch of security patches for 2023 with fixes for at least 29 security vulnerabilities in a...