Who knows how long Outlook has been sending supposedly encrypted emails with a plain text readable version included? Microsoft isn’t telling their customers, presumably hoping we won’t notice.
SEC Consult discovered a serious breach in Outlook’s email encryption system. Secure messages were being sent with a plain text readable version included! Ouch.
Source: SEC Consult
Above is part of a buggy Outlook message. The top section ‘text/plain’ with the readable text ‘Secret’ should not be there. The lower ‘application/pkcs7-mime’ with smime.p7m attachment is the encrypted message.
In the right circumstances, a plain text version of the message is displayed. Not only should a text version not be displayed, it should not be in the message at all. The exposed message is saved on the mail server. Grrrrr.
This security breach isn’t apparent to the sender. Looking in the Sent Items wrongly indicated that the message was properly secure.
Who is affected?
Outlook 2016 for Windows only. The bug is in Outlook 2016 which sends the plain text version in the first place.
The ‘secure’ message has to be formatted as text. Messages in HTML or Rich Text format are OK.
Whether the plain text rendering of the message is visible depends on the email client. Outlook Web Access (OWA) will display the plain text, for example in the preview.
What about exposed messages already sent?
The Outlook 2016 bug patch only fixes future messages. It’s no help for the exposed ‘secure’ messages already sent.
The insecure messages are stored on Exchange Server machines. That’s a factor Microsoft hasn’t mentioned at all, let alone suggested any remedy.
Burying the bad news
In news sometimes, the question is “What do they know and how long have they known it?”. That definitely applies in this case.
The 10 October 2017 patch to fix this problem is here but there’s no mention on that page of the secure messaging bug. Plenty of other fixes and a vague reference to yet another “allow remote code execution if a user opens a specially crafted Office file.”. Nothing on the most embarrassing and critical issue.
Microsoft has a rating system that supposed to tell customers how bad a security bug is. But Microsoft decides those ratings and it’s in their interests to lower a rating. In this case, the bug only gets an ‘Important’ severity, the second highest rating. We think exposing encrypted emails is about as bad as it can get and deserves the highest severity.
The Exploitability rating is also downplayed. Sending buggy ‘secure’ messages only gets a “3 – Exploitation Unlikely” rating. We disagree. While the plain text rendering only appears in some instances, like OWA. The exposed messages are still in server mail storage so the risk is still there and the possible exploitations can’t be properly judged. It seems that any successful attack on a mail server can result in exposing messages that should be unreadable.
How long have they known it?
Microsoft is also quiet about how long the bug has been sending out unencrypted messages.
The bug has been around for at least FOUR months and probably much longer. How much longer? Only Microsoft knows and they aren’t saying.
That’s important because those exposed messages are still sitting on Exchange Servers. Administrators and users would like to know what to search for in their Inboxes and, perhaps, Sent Items?
Microsoft publicly disclosed the bug and the patch on the same day 10 October 2017.
The bug was mentioned and confirmed on one of Microsoft’s own community forums in early June 2017. It seems that well-documented bug report was ignored by Microsoft despite the heading “Mail encryption using S/MIME seems to be broken in Outlook 2016” which should have got some ‘softies attention.