Outlook vulnerability may leak encrypted email data via S/MIME

Outlook Might Not Have Encrypted Your Emails If You Used S/MIME Encryption

Many people use Microsoft Outlook to send out secure emails encrypted via the S/MIME standard. A researcher called Sec Consult has discovered  a leak of Outlook S/MIME encrypted emails by accident earlier this year. Another user known as “Rsec” posted the same findings on a Microsoft forum post in June of this year.

Interestingly, a representative at Microsoft is yet to respond to the post from June.

This vulnerability occurs because Outlook sends email in both encrypted and un-encrypted protocols. If a person who thinks they are sending an encrypted email with sensitive information, they may be unaware that the email is in fact sent through an encrypted channel.

The bug is not a general problem, but only manifests under certain scenarios, described below:

• Only emails encrypted with the S/MIME public key encryption standard are affected, but not PGP/GPG.
• Leak of encrypted emails occurs only for emails “sent” using Outlook, not received in Outlook.
• The leak occurs only for Outlook emails sent in plaintext. Default Outlook setting is to use HTML formatting.
• Leak also happens when users try to encrypt responses to plaintext emails. Outlook automatically changes the default HTML formatting to plaintext when responding to such email.
• The leak occurs all the time if the user utilizes Outlook with an SMTP server.
• The leak occurs only one server hop for Outlook clients using Microsoft Exchange infrastructure. This limits the leak of encrypted emails inside a company’s network. TLS must also be disabled for email communications.
• Leak also occurs in the recipient’s email client. Because email clients show email message previews, an attacker can view the content of the encrypted message even if he doesn’t have access to the target’s private encryption key. For example, an attacker who gained access to a victim’s email password but not his S/MIME private key can read some of the encrypted messages the victim received, sent by users running leaky Outlook installations.

A fix for the problem is available and you can also check if your version affected:

• Outlook Version with fix to this vulnerability (CVE-2017-11776):
• Deferred Channel: Version 1705 (Build 8201.2200) – released on 2017-10-10
• Monthly Channel: Version 1708 (Build 8431.2107) – released on 2017-10-10