Οι χρήστες του ηλεκτρονικού ταχυδρομείου Outlook της Microsoft που χρησιμοποιούν το πρότυπο κρυπτογράφησης S/MIME δεν διασφαλίζουν το περιεχόμενο των email τους από ένα σφάλμα της applications.
The issue occurs because Outlook sends e-mail messages in both encrypted and unencrypted form. So an attacker who is able to separate the movement of the email account can read the content of these messages.
The bug is not a general but only occurs when the following conditions are met:
- Only emails encrypted with the public key encryption template are allowed S / MIME, but not the PGP / GPG.
- Encrypted email leak appears only for emails that are "sent" using Outlook and have not been received by Outlook.
- The leak only occurs for Outlook emails sent in plain text. THE default setting of Outlook is to use it formattings HTML.
- Leakage also occurs when users try to encrypt responses to emails. Outlook automatically changes the default HTML formatting to plain text when you reply to such messages.
- The leak occurs continuously if the user uses Outlook with an SMTP server.
- The leak only appears on hop servers for Outlook client computers that use Microsoft infrastructure Exchange. Αυτό περιορίζει τη διαρροή κρυπτογραφημένων μηνυμάτων ηλεκτρονικού ταχυδρομείου μέσα σε κάποιο εταιρικό network.
- There is also a leak in the recipient's e-mail client. Because email clients display previews of messages, an attacker can see the content of the encrypted message even if it does not have access to the private encryption key provided by the recipient.
The encryption leak, though limited by the above scenarios, is a delicate issue. Both companies and individuals use encryption to secure sensitive information they exchange via email.
The researchers of SEC Consult they discovered the leakage of encrypted Outlook emails in error.
Researchers said they contacted Microsoft about the issue and the company released a bug fix - coded with the ID CVE-2017-11776on Tuesday 10 October of 2017.
Microsoft did not reveal which versions of Olook were affected by this issue.
At present, companies and individuals who meet the above scenarios are vulnerable to CVE-2017-11776 and should immediately update Outlook.