back to article Dumb bug of the week: Outlook staples your encrypted emails to, er, plaintext copies when sending messages

Attention anyone using Microsoft Outlook to encrypt emails. Researchers at security outfit SEC Consult have found a bug in Redmond's software that causes encrypted messages to be sent out with their unencrypted versions attached. You read that right: if you can intercept a network connection transferring an encrypted email, …

  1. Oh Homer
    Linux

    WONTFIX

    This is Microsoft. Insecurity is a feature not a bug.

    1. Anonymous Coward
      Anonymous Coward

      Re: WONTFIX

      We're talking MS here - security isn't even an option, & your privacy can go stick its head in a pig.

      1. BenDwire Silver badge
        Coat

        ...& your privacy can go stick its head in a pig

        Isn't that what Cameron did with his privates?

        {allegedly, your honour}

    2. a_yank_lurker

      Re: WONTFIX

      Another way to slurp your data by Slurp </snark>

    3. This post has been deleted by its author

      1. Flywheel

        Re: WONTFIX

        Amber Rudd's rubbing her hands with glee!

        1. Tigra 07

          Re: WONTFIX

          Amber Rudd would instead request to ban computers from Britain as "Terrorists use them", shortly followed by banning pens and paper for the same reason, followed by oxygen.

          Absolutely thick politician

    4. Anonymous Coward
      Facepalm

      Re: No offence...

      But even in Linux/Opensource I've seen things labelled as "working as intended" and felt the need to hit a hard object forcefully in rage.

      (Personally I don't care who/why/what if the software is doing something obviously wrong/broken or dumb, even if it's third party problems, then don't ask it to do it... I know I should not run into the road, even if a the driver may be at fault, I'll still avoid doing it, and not label my activity as "working as intended" ;) ).

      1. Oh Homer

        Re: No offence...

        None taken. In fact I'm one of the most vocal opponents of the (albeit quite rare) "feature not a bug" mentality in the open source world.

  2. Anonymous Coward
    Anonymous Coward

    Dumb bug of the week...

    ...should be an actual column! You don't even have meta tags to direct your loyal readers to more articles of a similar style. Please fix this & start an actual DBotW series for us to be amused by!

    1. Anonymous Coward
      Anonymous Coward

      Re: Dumb bug of the week...

      a feature section, nice idea.

      1. Joe Werner Silver badge

        Re: Dumb bug of the week...

        Yeah, but I personally don't want to read about myself like once a month - considering the brain dead bug I discovered yesterday in my code. ;)

        To be fair: this code is only used by two people in the world, and for the other person this is not an issue as her data is formatted differently...

    2. handleoclast

      Re: Dumb bug of the week...

      Unfortunately, dumb bugs are like buses. You wait for ages and then three come at once.

      I suspect these things appear too sporadically to guarantee a weekly feature. But an occasional article about dumb bugs is probably feasible.

  3. Herby

    By design?

    Maybe some government entity is lurking in Redmond's back pocket. They always wanted backdoors.

    Than again, trusting Microsoft is a risky thing anyway.

    1. An0n C0w4rd

      Re: By design?

      Is this the new FBI version of security?

  4. Dwarf

    Testing a product works properly Isn't hard

    Oh, I forgot, the got rid of those people didn't they.

    Bring back the testers !

    1. Phil O'Sophical Silver badge

      Testing a product works properly Isn't hard

      True, but testing that it doesn't work improperly is far more difficult.

      1. Nolveys
        Gimp

        True, but testing that it doesn't work improperly is far more difficult.

        That's the easy part, there are these people called "users" who will do it for free.

      2. Tomato42
        Boffin

        > but testing that it doesn't work improperly is far more difficult.

        it's not far more difficult, but it does require a specific mindset, one that users don't have...

    2. Doctor Syntax Silver badge

      "Bring back the testers"

      The new system seems to be working fine.

      MS ships alpha code. Users and security researchers test it. Bugs get reported back to Microsoft.

      What are you complaining about?

  5. ma1010
    Coat

    Well, of COURSE!

    This is the new Five Eyes-mandated encryption system. Get used to it. You know, 'cause terrorists.

  6. Christoph

    What do you mean unencrypted? They used Dual ROT13 encryption!

    1. Anonymous Coward
      Anonymous Coward

      Of course they didn't use double ROT13, they used the much more secure NSA-approved multiple ROT26.

      1. John G Imrie

        ROT26.

        Those are both outdated technologies, what with Unicode and all that,. These days you nee to use ROT-1114112

  7. Anonymous Coward
    Anonymous Coward

    Microsoft is full of shitters...

    ^ this. Nothing more worth adding.

  8. jake Silver badge

    How long before ...

    ... Redmond sends in the shills to defend this obvious lack of testing?

    Or will it be the DevOps fanbois, rushing in to defend a lack of QA?

    1. a_yank_lurker

      Re: How long before ...

      As developer I respect good testers as they can save you from a lot mistakes. The key is the system has to have different people do the development, code review, and testing even if it is because different people can interpret an ambiguous spec differently forcing someone to clarify what they want.

      1. allthecoolshortnamesweretaken

        Re: How long before ...

        "As developer I respect good testers [..]"

        Hire my dad. Seriously, if your code survives him, you can be sure that it is resilent and as close to bug free as it possibly can be.

        1. Ken Moorhouse Silver badge

          Re: Hire my dad.

          If your dad also goes by the name allthecoolshortnamesweretaken then I would imagine he has uncovered quite a few buffer overflows in his time.

          1. David 132 Silver badge

            Re: Hire my dad.

            If your dad also goes by the name allthecoolshortnamesweretaken then I would imagine he has uncovered quite a few buffer overflows in his time.

            That's just his first name. His surname is Smith '); DROP TABLE Comments;--

            (and if the Reg comments system goes down after I click "submit", I will not know whether to laugh, cry, or flee the incoming vulture death-squads)

            1. J. Cook Silver badge
              Joke

              Re: Hire my dad.

              ... I thought it was Robert!

        2. Terry 6 Silver badge
          FAIL

          Re: How long before ...

          This also is the case for usability. Until something has been tried with a few real users you have absolutely no idea whether you've got it right or not. Until the people who think the monitor is the computer and switch it off when they go home, but leave the computer on - or who tell you that the email isn't working when they have a BSOD have tried it, it hasn't had real life testing.

    2. sabroni Silver badge

      Re: How long before Redmond sends in the shills

      I wouldn't hold your breath. Like they give a fuck about the chatter on here.....

  9. Anonymous Coward
    Facepalm

    c'mon...

    Everyone (should) knows that opening attachments within e-mails that originate from unknown sources are best left unopened. So what could possibly go wrong here? :)

    Even so... GPG4Win FTW. That's GnuPG for Windows (uses Kleopatra) and much to my first surprise it can hook directly into Outlook as well. And I'll take GPG over S/MIME any day of the week.

  10. ThomR

    From what I remember, S/MIME-based encryption in Exchange was not intended for obfuscating the contents of the email. Instead, it was for validating that the original email was unchanged. From what I remember, being involved in writing the original RFC-style protocol documentation for Exchange, this was a known aspect of how S/MIME encryption worked. There always has to be some unencrypted part that leaked information, because the extended headers often contained identifiable information as well. How do you pass a public key in an extended header when all the extended headers are encrypted, was root of the problem, and the message-body was just a longer-length version of that same problem. That's why they eventually went to SMTP over HTTPS/TLC, so that the encryption encapsulated the entire connection.

    Or, I could be remembering it wrong, too :D. But, this rings a loud, clear bell in my recollection.

    1. Anonymous Coward
      Anonymous Coward

      S/MIME was designed both for message signature and encryption. It is known that some transport data need to be in cleartext because of course only the recipient has the key to decrypt a message - still the message "payload" is encrypted, and it is in the server storage as well.

      Then the transport may happen over an encrypted channel to ensure confidentiality of the whole message - but unluckily now you can only protect that data from/to your mail client and your mail server - whatever happens outside your mail server is not under your control - the SMTP protocol really needs an update - there's a good chance no transport encryption will be used, and even it it is, there is no provision to check the certificates of the server you're talking to.

    2. Ken Moorhouse Silver badge

      it was for validating that the original email was unchanged.

      Surely that could have been done including an MD5 hash of the original email, instead of including it verbatim?

  11. foxyshadis

    Unlikely

    Microsoft claimed the exploitation of this bug was "unlikely" in the wild.

    Mostly because S/MIME is an essentially dead protocol, that only a handful of people have ever bothered with....

    1. T. F. M. Reader

      Re: Unlikely

      I suppose mostly because there is no need to "exploit" if the plain text is helpfully sent along, eh?

      Wait, this makes MSFT's statement technically correct, doesn't it?

    2. dajames

      Re: Unlikely

      Microsoft claimed the exploitation of this bug was "unlikely" in the wild.

      Mostly because S/MIME is an essentially dead protocol, that only a handful of people have ever bothered with....

      S/MIME isn't dead. It's the standard protocol to use when encrypting internet mail within a PKI. The other common mail encryption protocol is PGP, but that isn't used within a PKI. If S/MIME is not much used it's because most people don't actually bother to encrypt their mail.

      I would think that Microsoft regard exploitation of this bug as "unlikely" because they don't think anyone sends mail in plain text, nowadays.

      1. sabroni Silver badge

        Re: because they don't think anyone sends mail in plain text, nowadays

        I expect they checked with their snooping powers and saw that no one sends mail in plain text...

  12. T. F. M. Reader

    Remind me...

    ...why do NSA and GCHQ have such big budgets?

    1. Nolveys
      Windows

      Re: Remind me...

      Remind me...why do NSA and GCHQ have such big budgets?

      This either calls for a red riding hood joke or a dick joke.

  13. Potemkine! Silver badge

    By default...

    ... always consider email as an inappropriate mean to transmit confidential information. After all, mails are just like messages in bottles throw into the Internet sea...

    1. Loyal Commenter Silver badge

      Re: By default...

      If I could upvote this more, I would. Email is, and always has been, an unsecured plain-text protocol. You might be able to ensure you have SSL between you and your mail server, but then as far as the protocol is concerned, that SMTP server could be delivering the message to the next relay by semaphore, or by shouting it across a busy pub.

      If you want to send something securely by email, send an encrypted attachment, don't depend on the protocol to do the work for you. Even then, you have to consider that your attachment in its encrypted form is visible to world+dog, and that if someone wanted to brute-force it they probably could, so a password-protected zip file isn't going to be much use to you unless you like typing in long high-entropy passwords.

      1. Outski

        Re: By default...

        You might be able to ensure you have SSL between you and your mail server, but then as far as the protocol is concerned, that SMTP server could be delivering the message to the next relay by semaphore

        Technically true. However, many organisations require their partners, vendors, etc to prove that TLS is in use and enforced, or at least available opportunistically at each hop, mail system to getway, gateway to filtering service provider, and vice versa

  14. Christian Berger

    I've recently seen a current version of Outlook...

    ... and I can now say with confidence, that Microsoft has given up on e-mail a long time ago. It still doesn't even have basic functionality like being able to display topic trees correctly.

    Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

    1. Potemkine! Silver badge

      Re: I've recently seen a current version of Outlook...

      Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

      MS GUIs seem to be more and more designed to piss off users... For instance, making the Configuration Panel much harder to access with Win10's 'Creator' (sic) update... WTF!

    2. Terry 6 Silver badge

      Re: I've recently seen a current version of Outlook...

      Essentially all the things people hate about e-mail are implemented, and all the things people like about e-mail are missing.

      Isn't that just SOP with Microsoft. Find the stuff people like and then either screw it up or remove it completely. It's not the data capturing of Microsoft I've come to loath so much. ( They're all at it). It's that.

    3. foxyshadis

      Re: I've recently seen a current version of Outlook...

      Microsoft went all-in with better quicksearch over threading, topics, manual organization and tags, etc, after Google completely blew away the idea of manually organizing mail for most of the population. It turns out that only about 1% actually care that much, the rest just want some way to access it. Granted Office 2007 sucked balls in almost every way, but most of the Outlooks since 2010 have been relatively solid if you don't need it to act like a 90's Usenet reader.

      It is obvious that investment has stalled for a long time, though; the answer to most Outlook feature requests has been "Use Sharepoint!" for a decade now. Great, now I have two problems.

  15. Rural area satellite.

    MS plainly states that they respect the user's privacy. The memo is attached.

  16. Tom Melly

    So, if the attacker has both the encrypted and unencrypted versions, can they work out the private key? I assume not, since, thinking about it, that would make encryption about as useful as Theresa May.

  17. Stuart Moore

    Normally I'm all for bug hunters giving software companies time to fix before going public...

    ... But in this case given how easy the exploit is, and how far removed from the intended functionality, I can't help wondering if disclosing earlier would have been better so people could avoid sending more unencrypted emails that they believed were encrypted

  18. Anonymous Coward
    Anonymous Coward

    Cmon guys.

    Clearly they send the plaintext version to help verify the encrypted message when its decrypted.

    If they have nothing to compare the decrypted data with how do they know if it decrypted correctly.

    Duh.

  19. adam payne

    It's not a bug it's a backdoor so that intelligence agencies can read your boring email. They like to profile people it's a hobby of theirs.

  20. Terry 6 Silver badge

    To me it doesn't sound like a bug, as such. Rather just sloppy design.

  21. john.jones.name

    SMIME better than PGP just pity about those CA's

    Secure MIME has more support is easy to use but people like microsoft and Certificate Authorities are not helping...

    why would you encrypt the same part of the message (formating) but not the other ?

    I suspect that just a few gov offices will be asking a few questions...

  22. Anonymous Coward
    Anonymous Coward

    I underestimated Outlook

    I sent plain text email for many years but gave up when so many people complained, now every email from Outlook is ten pages of junk for two lines of text (if you view the source). Today I find Outlook's features mean I can send ten pages of obscured, poorly formatted HTML, and the plain text too!

    I thought HTML was the height of inefficiency, but I had no idea.

  23. mrobert

    I don't take chance

    In my case, i use from several year Secure Exchanges product. It's an addin that you can use on top of Microsoft Outlook, and encrypt, and destroy the email when it's read.

    I don't have choice to work with Microsoft, but i don't trust it anyway :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like