If you’ve sent an encrypted message via Outlook Mail in the last six months, there is a high chance that they weren’t as secure as you were led to believe. According to researchers looking into the security update issued by Microsoft earlier this week, a major bug has exposed S/MIME encrypted emails in plaintext to any third party interception (via ZDNet).
Put simply, the end-to-end encryption and signing when a mail is sent makes the content only available to a private certificate (the person it is sent to). Even in Sent Mail, these emails are encrypted for security measures. Of course, that’s where Microsoft’s mail service has botched things up. Instead of sending just the private message, they’ve also sent an unencrypted form to the receiving end.
Needless to say, it’s a big issue. Security researcher Kevin Beaumont has been following the bug and even taken to reproduce the issue.
Outlook S/MIME bug is absolutely reproducible, I just did it. Does not need an attacker. Microsoft have classified it wrong. @msftsecurity
— Beaumont Porg, Esq. (@GossiTheDog) October 10, 2017
The incident is solely related to those that use S/MIMe encryption. However, it’s left us to wonder how many private emails of importance has been left unchecked due to the vulnerability. Microsoft hasn’t released any further detailed information.
Consider this your reminder to catch this important patch Tuesday fix before you send any more private emails!Further reading: Email, Microsoft, Outlook, Outlook Mail