Microsoft built a whopper of an error inside its OUTLOOK email product. Outlook users of security features embedded in the email software should now consider themselves compromised. SEC Consult researchers discovered that Outlook S/MIME encryption utilized to secure emails was sending both the encrypted version of a message and the unencrypted text version in the same email.

"In the context of encryption this can be considered a worst-case bug," stated the review by SEC Consult.

The error basically sends the "secure" emails in encrypted and unencrypted form to the senders designated email server and then on to the recipient’s email server. The result is that a so-called "secure" email can now be read without the private keys of the recipient. This is a total failure of the encryption product, compromising the data and contents of the email.

Outlook users who sent encrypted "secure" emails through compromised servers, such as the Yahoo breach, may find that the Microsoft security did not protect them from a hacker. Outlook emails sent using Simple Mail Transport Protocol (SMTP) leaks the plaintext to all mail servers that pass it along as well as inside the recipient's email server. Hackers using data mining tools can in fact, scan for the compromised emails since they contain both the clear open text and the encrypted text.

In addition, attackers can also access to the clear text email data from the recipient’s mail in-box, whether it is locally stored on a compromised Outlook system or inside a compromised email service. Thus an attacker who gained access to a victim's local Outlook email password but not his private key can still read encrypted messages the victim received which were sent by users running the flawed Outlook software.

While Microsoft has issued a fix for the error they have not yet acknowledged it or released any data as to when this error first appeared inside Outlook. The error was discovered a little over six months ago and another Microsoft user also reported the problem about a month later inside the Outlook forums. However, Microsoft has not revealed whether the error only appeared in recent versions of Outlook or has been inside of all previous versions spanning years of use.

Basically, all Outlook users should immediately update their product with the latest patch issued by Microsoft and they should consider all "secure" S/MIME emails to be compromised.

In encryption terms the Outlook error is a total security bomb. Outlook users would have been better off if they did not encrypt emails at all, in the hopes that they might be over-looked by hackers. The S/MIME encrypted text embedded inside any email can act as a scan beacon or a red flag if you will to data mining software designed to detect its signature. Thus, the Microsoft failure allows hackers to zero in on emails and pull out the clear text.

Yet, this is an example of the relatively poor encryption package and design employed by Microsoft. The current Microsoft package of encryption software tools, although spanning most of the popular versions such as DES, RSA and AES, is cumbersome and often not standard. Both the RSA and AES packages do not utilize standardized protocols making them difficult to employ with software from other manufacturers or operating systems. Public key construction, key extraction and even storage of private keys are in many cases done using a Microsoft proprietary design.

In addition, a lesson learned from the Wikileaks CIA Vault 7 files illustrates the poor status of Microsoft encryption. CIA hackers often opted to use encryption packages from other sources when they designed and built malware to penetrate Microsoft systems instead of selecting the obvious choice. This selection was made by professionals with a clear design requirement for communications and data security, apparently something the Microsoft products lacked.

Microsoft has also come under fire before for quietly putting in "security" features that were not really secure and then not informing their customers. For example, Microsoft obtained the recovery key for Windows 10 users who encrypted their hard drives. Users of the BitLocker device encryption package discovered that you must also sign in to Windows with a Microsoft account or a Windows domain account to turn it on. Thus, users found that their drive recovery key was then stored in the OneDrive account and Microsoft had access to their encrypted hard drive though the recovery key.

While Microsoft openly explained they would never use the key to illegally access a user, unspoken was the fact that legal access by law enforcement was a very real feature. Officials from nations worldwide can legally compel Microsoft to hand over a drive key. Worse, bad actors, either a nation state or individual, might be able to hack the company and retrieve a key.




Contact Us: