From at to the lowest degree terminal vi months, your messages were beingness sent inward both encrypted in addition to unencrypted forms, exposing all your surreptitious in addition to sensitive communications to potential eavesdroppers.
S/MIME, or Secure/Multipurpose Internet Mail Extensions, is an end-to-end encryption protocol—based on public-key cryptography in addition to plant only similar SSL connections—that enables users to transportation digitally signed in addition to encrypted messages.
According to a security advisory published yesteryear SEC Consult before this week, a severe põrnikas (CVE-2017-11776) inward Microsoft Outlook e-mail customer causes S/MIME encrypted emails to endure sent amongst their unencrypted versions attached.
When Outlook users brand occupation of S/MIME to encrypt their messages in addition to format their emails every bit apparently text, the vulnerability allows the seemingly encrypted emails to endure sent inward both encrypted every bit good every bit human-readable clear text forms, the researchers explain.
Users would endure unaware of this safety issue, every bit the messages would appear every bit encrypted inward the Outlook application's "Sent Items" folder.
"To trigger the vulnerability, no active interest yesteryear an assaulter is required. An assaulter mightiness rest completely passive," the advisory reads.
"The acquit upon is that a supposedly S/MIME encrypted postal service tin endure read without the somebody keys of the recipient. This results inward full loss of safety properties provided yesteryear S/MIME encryption."
Therefore, attackers amongst access to the unencrypted server-to-server or client-to-server connections could easily possess got wages of this vulnerability to read the e-mail communications inward the apparently text.
So if you lot used Outlook's S/MIME encryption for emails inward the yesteryear vi months, your emails possess got non been encrypted at all; instead, they went out inward apparently text.
According to the researchers, the range of the vulnerability depends on how you lot possess got Outlook configured.
1. Outlook amongst Exchange (Impact express to the get-go hop)
If you lot are using Outlook amongst Exchange, the apparently text version of the encrypted emails volition exclusively attain 1 hop (to the sender's exchange), every bit sending emails to external telephone commutation take the plaintext role from the message.
But if the recipient in addition to sender are inward the same domain (exchange), the apparently text role volition endure forwarded to the recipient every bit well.
2. Outlook using SMTP (Impact on the entire postal service path)
If you lot are running Outlook amongst SMTP, the apparently text version of the encrypted emails volition non exclusively endure received yesteryear the recipient but every bit good yesteryear all postal service servers along the path.
Security researcher Kevin Beaumont independently verified the authenticity of the vulnerability, tweeting "Outlook S/MIME põrnikas is absolutely reproducible, I only did it. Does non need an attacker. Microsoft has classified it wrong."
Patch Outlook & Other Critical Windows Vulnerabilities
SEC researchers discovered the number inward May in addition to responsibly reported it to Microsoft, but did non listen dorsum from the tech giant.
Microsoft released a piece to arrive at the põrnikas inward this month's unloosen of safety updates, in addition to rated the number every bit "important," claiming the exploitation of this vulnerability was "unlikely" inward the wild.
So, if you lot occupation Outlook's S/MIME for encrypting your sensitive emails, you lot are advised to piece your organization in addition to software every bit presently every bit possible.
