Users who utilized Microsoft Outlook to send out secure emails encrypted via the S/MIME standard might have had the content of those emails leaked by an Outlook bug.
The issue is that Outlook sends an email in both encrypted and unencrypted form. An attacker that is able to snoop email traffic might be able to read the contents of these emails.
The bug is not a general problem, but only manifests under certain scenarios, described below:
Only emails encrypted with the S/MIME
public key encryption standard are affected, but not PGP/GPG.
Leak of encrypted emails occurs only for emails "sent" using Outlook, not received in Outlook.
The leak occurs only for Outlook emails sent in plaintext. Default Outlook setting is to use HTML formatting.
Leak also happens when users try to encrypt responses to plaintext emails. Outlook automatically changes the default HTML formatting to plaintext when responding to such emails
The leak occurs all the time if the user utilizes Outlook with an SMTP server.
The leak occurs only one server hop for Outlook clients using Microsoft Exchange infrastructure. This limits the leak of encrypted emails inside a company's network. TLS must also be disabled for email communications.
Leak also occurs in the recipient's email client. Because email clients show email message previews, an attacker can view the content of the encrypted message even if he doesn't have access to the target's private encryption key. For example, an attacker who gained access to a victim's email password but not his S/MIME private key can read some of the encrypted messages the victim received, sent by users running leaky Outlook installations.
The encryption leak, even if limited to the scenarios above, is a sensitive issue. Companies use encryption to safeguard sensitive information they exchange via email. Most bug and vulnerabilities reports are also handled in an encrypted format.
Microsoft tight-lipped about true impact
SEC Consult researchers discovered the leak of Outlook S/MIME encrypted emails by accident earlier this year. Another user reported the same problem on the Microsoft forums a month later.
Researchers said they contacted Microsoft about the issue and the company released a fix for the bug — tracked as CVE-2017-11776 — yesterday, during the October 2017 Patch Tuesday.
Microsoft did not reveal what Outlook versions were affected by this issue, meaning the bug could affect all Outlook versions ever released, or just versions released since May 2017, when SEC Consult discovered the problem.
For the time being, companies that fit the CVE-2017-11776 exploitation scenario should update their Outlook clients and should treat all information sent via S/MIME-encrypted emails as compromised.