Outlook may not encrypt your email if you use S / MIME encryption
Users using Microsoft Outlook to send encrypted email via the S / MIME standard may experience information leaks due to errors in Outlook.
The problem is that Oulook sends emails both in encrypted and unencrypted form. An attacker who watches email traffic can read the contents of these emails. This error only occurs in certain circumstances below.
- Only encrypted email using the public key encryption standard is affected, except PGP / GPG.
- Only happens with email sent by Outlook, not received mail.
- Only occurs with Outlook email sent in plain text. The default setting of Outlook is to use HTML format.
- Occurs when the user tries to encrypt the response email for plain text. Outlook automatically changes the default HTML format to plain text when responding to such an email.
- Use Outlook with an SMTP server.
- A server jumps to Outlook client using the Microsoft Exchange structure. This limits the leak of encrypted email in the corporate network. TLS must be turned off for email communication.
- Occurs on the recipient's email client. Because email clients display email preview content, an attacker can view the email content encrypted even without an encryption key. For example, an attacker who has an email password but does not have a S / MIME key can still read the received content, and send the failed installation of Outlook.
Although only limited to these situations, this leak is still a sensitive issue. Companies often use encryption to protect sensitive information shared via email. Many bug reports, vulnerabilities also use encryption format.
S / MIME encryption may still not protect your email in Outlook
Microsoft is silent about the real impact
SEC Consult researchers discovered an encrypted email leak using S / MIME earlier this year. Another user also reported the same issue to the Microsoft forum a month later.
The researchers said they contacted Microsoft for an error and the company also corrected it yesterday, in a Tuesday patch, CVE-2017-11776. Microsoft does not disclose which versions of Outlook are affected, meaning it can affect every version.
See more:
How to encrypt email on Microsoft Outlook
You should read it
- Encrypt email in Outlook 2007
- Introducing OpenSSH
- How to encrypt files using Gocryptfs
- How to use Bitlocker to encrypt data in computers
- How to encrypt email
- How to easily encrypt a file without a password using Cloak Encrypt
- Let's Encrypt expires root certificate, many devices and websites have problems accessing it
- iPGMail: The best way to encrypt emails on iOS
May be interested
- Features available on MS Office allow malware to enter without turning on the macrosince cybercriminals appear more and more, traditional techniques become more mysterious when exploiting standard tools and protocols that are often overlooked.
- Akamai detected the Fast Flux botnet with 14,000 IP addressesresearchers at akamai have discovered a botnet with more than 14,000 ip addresses used to spread malware, using smart technology called fast flux.
- Fake attacks on Facebook say you are a reliable contact, don't believe it!if you receive a message from a friend on facebook saying that they need your help to access the password again. don't believe it, maybe someone is cheating on you.
- DoubleLocker - new ransomware has the ability to encrypt data and change Android device PINsecurity researchers at eset have discovered a new type of android ransomware called doublelocker, which not only encrypts user data but also changes the device's pin.
- Microsoft silently patched the KRACK WPA2 security holewhile other vendors are trying to release an update to patch the krack attack vulnerability yesterday, microsoft quietly corrected the problem in a patch last tuesday.
- KRACK attack breaks down the WPA2 WiFi protocolresearcher mathy vanhoef from leuven university discovered a serious security flaw on wi-fi protected access ii (wpa2) network security protocol.