We observed this vulnerability only triggers with mails that are formatted in “Plain Text”. This is about mail body S/MIME encryption not transport level security (TLS). Note: This vulnerability affects mails where Outlook is used as the sender and has no impact on incoming S/MIME encrypted mails – where Outlook acts as the recipient. An attacker might remain completely passive. To trigger the vulnerability, no active involvement by an attacker is required. The message is displayed in Outlook as if it was properly encrypted. In the sender’s “Sent Items” folder, there is no indication of the problem whatsoever. This results in total loss of security properties provided by S/MIME encryption. The impact is that a supposedly S/MIME encrypted mail can be read without the private keys of the recipient. There is a bug in Outlook that causes S/MIME encrypted mails to be send in encrypted and unencrypted form (within one single mail) to your mail server (and the recipient’s mail server and client and any intermediate mail servers). In an environment where mail servers or network hops between sender and recipient are compromised, S/MIME will still protect the mail’s body against unauthorized access (confidentiality) and manipulation (integrity, authenticity).
To use S/MIME the mail client has to be configured, this includes installing a personal certificate and exchanging certificates with communication partners. Along with similar technologies like PGP/ GPG, it is used by security/privacy conscious individuals and organizations to protect the mail communication. Most popular mail clients, including Microsoft Outlook, Mozilla Thunderbird, Apple Mail, and the Mail Clients on Apple iOS and Samsung Knox devices, support S/MIME. S/MIME is an IETF standard for end-to-end encryption and signing of mails. We knew something was seriously wrong when we noticed that the contents of S/MIME encrypted mails were shown in Outlook Web Access (OWA). Unlike other cases we kind of stumbled upon the first indications of this vulnerability by pure coincidence (we did not search for Outlook vulnerabilities). This has been a rather unusual vulnerability discovery.
0 kommentar(er)
