back to article Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached. You read that right: if you can intercept a network connection transferring an encrypted email, …

Silver badge
Linux

WONTFIX

This is Microsoft. Insecurity is a feature not a bug.

38
4
Anonymous Coward

Re: WONTFIX

We're talking MS here - security isn't even an option, & your privacy can go stick its head in a pig.

31
4
Coat

...& your privacy can go stick its head in a pig

Isn't that what Cameron did with his privates?

{allegedly, your honour}

14
2
Silver badge

Re: WONTFIX

Another way to slurp your data by Slurp </snark>

7
3
Silver badge
Happy

Re: WONTFIX

No, it's the "breakable" encryption the US government has long been fighting for.

31
0

Re: WONTFIX

Amber Rudd's rubbing her hands with glee!

2
0
Silver badge
Facepalm

Re: No offence...

But even in Linux/Opensource I've seen things labelled as "working as intended" and felt the need to hit a hard object forcefully in rage.

(Personally I don't care who/why/what if the software is doing something obviously wrong/broken or dumb, even if it's third party problems, then don't ask it to do it... I know I should not run into the road, even if a the driver may be at fault, I'll still avoid doing it, and not label my activity as "working as intended" ;) ).

1
0
Silver badge

Re: No offence...

None taken. In fact I'm one of the most vocal opponents of the (albeit quite rare) "feature not a bug" mentality in the open source world.

1
0
Silver badge

Re: WONTFIX

Amber Rudd would instead request to ban computers from Britain as "Terrorists use them", shortly followed by banning pens and paper for the same reason, followed by oxygen.

Absolutely thick politician

0
0
Anonymous Coward

Dumb bug of the week...

...should be an actual column! You don't even have meta tags to direct your loyal readers to more articles of a similar style. Please fix this & start an actual DBotW series for us to be amused by!

47
0
Anonymous Coward

Re: Dumb bug of the week...

a feature section, nice idea.

16
0

Re: Dumb bug of the week...

Yeah, but I personally don't want to read about myself like once a month - considering the brain dead bug I discovered yesterday in my code. ;)

To be fair: this code is only used by two people in the world, and for the other person this is not an issue as her data is formatted differently...

12
0
Silver badge

Re: Dumb bug of the week...

Unfortunately, dumb bugs are like buses. You wait for ages and then three come at once.

I suspect these things appear too sporadically to guarantee a weekly feature. But an occasional article about dumb bugs is probably feasible.

2
0
Silver badge

By design?

Maybe some government entity is lurking in Redmond's back pocket. They always wanted backdoors.

Than again, trusting Microsoft is a risky thing anyway.

12
3

Re: By design?

Is this the new FBI version of security?

6
1
Silver badge

Testing a product works properly Isn't hard

Oh, I forgot, the got rid of those people didn't they.

Bring back the testers !

14
3
Silver badge

Testing a product works properly Isn't hard

True, but testing that it doesn't work improperly is far more difficult.

41
0
Silver badge
Gimp

True, but testing that it doesn't work improperly is far more difficult.

That's the easy part, there are these people called "users" who will do it for free.

9
1
Boffin

> but testing that it doesn't work improperly is far more difficult.

it's not far more difficult, but it does require a specific mindset, one that users don't have...

2
0
Silver badge

"Bring back the testers"

The new system seems to be working fine.

MS ships alpha code. Users and security researchers test it. Bugs get reported back to Microsoft.

What are you complaining about?

3
0
Silver badge
Coat

Well, of COURSE!

This is the new Five Eyes-mandated encryption system. Get used to it. You know, 'cause terrorists.

13
1
Silver badge

What do you mean unencrypted? They used Dual ROT13 encryption!

11
0
Anonymous Coward

Of course they didn't use double ROT13, they used the much more secure NSA-approved multiple ROT26.

5
0
Silver badge

ROT26.

Those are both outdated technologies, what with Unicode and all that,. These days you nee to use ROT-1114112

0
0
Anonymous Coward

Microsoft is full of shitters...

^ this. Nothing more worth adding.

5
3
Silver badge

How long before ...

... Redmond sends in the shills to defend this obvious lack of testing?

Or will it be the DevOps fanbois, rushing in to defend a lack of QA?

9
2
Silver badge

Re: How long before ...

As developer I respect good testers as they can save you from a lot mistakes. The key is the system has to have different people do the development, code review, and testing even if it is because different people can interpret an ambiguous spec differently forcing someone to clarify what they want.

19
0
Silver badge

Re: How long before Redmond sends in the shills

I wouldn't hold your breath. Like they give a fuck about the chatter on here.....

1
4
Silver badge

Re: How long before ...

"As developer I respect good testers [..]"

Hire my dad. Seriously, if your code survives him, you can be sure that it is resilent and as close to bug free as it possibly can be.

2
0
Silver badge

Re: Hire my dad.

If your dad also goes by the name allthecoolshortnamesweretaken then I would imagine he has uncovered quite a few buffer overflows in his time.

4
0
Silver badge
FAIL

Re: How long before ...

This also is the case for usability. Until something has been tried with a few real users you have absolutely no idea whether you've got it right or not. Until the people who think the monitor is the computer and switch it off when they go home, but leave the computer on - or who tell you that the email isn't working when they have a BSOD have tried it, it hasn't had real life testing.

0
0
Silver badge

Re: Hire my dad.

If your dad also goes by the name allthecoolshortnamesweretaken then I would imagine he has uncovered quite a few buffer overflows in his time.

That's just his first name. His surname is Smith '); DROP TABLE Comments;--

(and if the Reg comments system goes down after I click "submit", I will not know whether to laugh, cry, or flee the incoming vulture death-squads)

5
0
Bronze badge
Joke

Re: Hire my dad.

... I thought it was Robert!

1
0
Silver badge
Facepalm

c'mon...

Everyone (should) knows that opening attachments within e-mails that originate from unknown sources are best left unopened. So what could possibly go wrong here? :)

Even so... GPG4Win FTW. That's GnuPG for Windows (uses Kleopatra) and much to my first surprise it can hook directly into Outlook as well. And I'll take GPG over S/MIME any day of the week.

9
0

From what I remember, S/MIME-based encryption in Exchange was not intended for obfuscating the contents of the email. Instead, it was for validating that the original email was unchanged. From what I remember, being involved in writing the original RFC-style protocol documentation for Exchange, this was a known aspect of how S/MIME encryption worked. There always has to be some unencrypted part that leaked information, because the extended headers often contained identifiable information as well. How do you pass a public key in an extended header when all the extended headers are encrypted, was root of the problem, and the message-body was just a longer-length version of that same problem. That's why they eventually went to SMTP over HTTPS/TLC, so that the encryption encapsulated the entire connection.

Or, I could be remembering it wrong, too :D. But, this rings a loud, clear bell in my recollection.

8
1
LDS
Silver badge

S/MIME was designed both for message signature and encryption. It is known that some transport data need to be in cleartext because of course only the recipient has the key to decrypt a message - still the message "payload" is encrypted, and it is in the server storage as well.

Then the transport may happen over an encrypted channel to ensure confidentiality of the whole message - but unluckily now you can only protect that data from/to your mail client and your mail server - whatever happens outside your mail server is not under your control - the SMTP protocol really needs an update - there's a good chance no transport encryption will be used, and even it it is, there is no provision to check the certificates of the server you're talking to.

5
0
Silver badge

it was for validating that the original email was unchanged.

Surely that could have been done including an MD5 hash of the original email, instead of including it verbatim?

0
0

Unlikely

Microsoft claimed the exploitation of this bug was "unlikely" in the wild.

Mostly because S/MIME is an essentially dead protocol, that only a handful of people have ever bothered with....

2
1

Re: Unlikely

I suppose mostly because there is no need to "exploit" if the plain text is helpfully sent along, eh?

Wait, this makes MSFT's statement technically correct, doesn't it?

6
2
Silver badge

Re: Unlikely

Microsoft claimed the exploitation of this bug was "unlikely" in the wild.

Mostly because S/MIME is an essentially dead protocol, that only a handful of people have ever bothered with....

S/MIME isn't dead. It's the standard protocol to use when encrypting internet mail within a PKI. The other common mail encryption protocol is PGP, but that isn't used within a PKI. If S/MIME is not much used it's because most people don't actually bother to encrypt their mail.

I would think that Microsoft regard exploitation of this bug as "unlikely" because they don't think anyone sends mail in plain text, nowadays.

5
0
Silver badge

Re: because they don't think anyone sends mail in plain text, nowadays

I expect they checked with their snooping powers and saw that no one sends mail in plain text...

3
0

Remind me...

...why do NSA and GCHQ have such big budgets?

3
1
Silver badge
Windows

Re: Remind me...

Remind me...why do NSA and GCHQ have such big budgets?

This either calls for a red riding hood joke or a dick joke.

6
0

By default...

... always consider email as an inappropriate mean to transmit confidential information. After all, mails are just like messages in bottles throw into the Internet sea...

14
0
Silver badge

Re: By default...

If I could upvote this more, I would. Email is, and always has been, an unsecured plain-text protocol. You might be able to ensure you have SSL between you and your mail server, but then as far as the protocol is concerned, that SMTP server could be delivering the message to the next relay by semaphore, or by shouting it across a busy pub.

If you want to send something securely by email, send an encrypted attachment, don't depend on the protocol to do the work for you. Even then, you have to consider that your attachment in its encrypted form is visible to world+dog, and that if someone wanted to brute-force it they probably could, so a password-protected zip file isn't going to be much use to you unless you like typing in long high-entropy passwords.

7
0

Re: By default...

You might be able to ensure you have SSL between you and your mail server, but then as far as the protocol is concerned, that SMTP server could be delivering the message to the next relay by semaphore

Technically true. However, many organisations require their partners, vendors, etc to prove that TLS is in use and enforced, or at least available opportunistically at each hop, mail system to getway, gateway to filtering service provider, and vice versa

3
0
Silver badge

I've recently seen a current version of Outlook...

... and I can now say with confidence, that Microsoft has given up on e-mail a long time ago. It still doesn't even have basic functionality like being able to display topic trees correctly.

Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

8
5

Re: I've recently seen a current version of Outlook...

Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

MS GUIs seem to be more and more designed to piss off users... For instance, making the Configuration Panel much harder to access with Win10's 'Creator' (sic) update... WTF!

6
1
Silver badge

Re: I've recently seen a current version of Outlook...

Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

Isn't that just SOP with Microsoft. Find the stuff people like and then either screw it up or remove it completely. It's not the data capturing of Microsoft I've come to loath so much. ( They're all at it). It's that.

3
0

Re: I've recently seen a current version of Outlook...

Microsoft went all-in with better quicksearch over threading, topics, manual organization and tags, etc, after Google completely blew away the idea of manually organizing mail for most of the population. It turns out that only about 1% actually care that much, the rest just want some way to access it. Granted Office 2007 sucked balls in almost every way, but most of the Outlooks since 2010 have been relatively solid if you don't need it to act like a 90's Usenet reader.

It is obvious that investment has stalled for a long time, though; the answer to most Outlook feature requests has been "Use Sharepoint!" for a decade now. Great, now I have two problems.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017