Microsoft patches attacked Office flaw and Outlook's 'fake crypto'

  • Liam Tung (CSO Online)
  • 12 October, 2017 05:36

Microsoft’s October Patch Tuesday addresses 62 vulnerabilities, including an Office flaw that was already being actively exploited, and an Outlook issue that sent encrypted email in the clear. 

The Office vulnerability could be exploited by opening a rigged file using a vulnerable version of Office. An email attacker would need to convince a target to open the attached file, or a click link leading to a malicious web page. This bug is being exploited in the wild, according to Microsoft. 

The October patches includes fixes for 27 critical vulnerabilities, most of which affect Edge and Internet Explorer, and some Windows components.   

Microsoft also closed off a serious bug in Outlook but only provided a sparse description that there was an “information disclosure vulnerability… when Outlook fails to establish a secure connection.” 

Another way to describe the issue was that Outlook had “fake crypto” caused by a problem in Microsoft’s implementation of the S/MIME end-to-end encryption standard, according to SEC-Consult, the firm that reported the issue. 

As far as email encryption goes, SEC-Consult rates it as a “worst-case bug” since email content that users expected to have been encrypted were in fact sent in the clear. 

Outlook provides an option to sign and encrypt the body of an email so that, say, if a person wanted to send a contact a password or sensitive business plans over email, the intended recipient would need the private key to view the email's content. The problem was that Outlook sent the email with the message encrypted and in the clear.    

“There is a bug in Outlook that causes S/MIME encrypted mails to be sent in encrypted and unencrypted form (within one single mail) to your mail server (and the recipient’s mail server and client and any intermediate mail servers). The impact is that a supposedly S/MIME encrypted mail can be read without the private keys of the recipient. This results in total loss of security properties provided by S/MIME encryption,” SEC-Consult wrote. 

This applies to the body of any encrypted email sent from Outlook since at least May 2, when the firm discovered the flaw. In other words, any email sent in the past six months that the user thought was encrypted, wasn't.  

Though Microsoft says the flaw has not been exploited yet, an Outlook 2016 user revealed the encryption issue on Microsoft’s user forums on June 2, so it's not a secret either.

SEC-Consult notes that an attack doesn't need to do anything to exploit the vulnerability and could exploit it passively.

According to Microsoft, 32-bit and 64-bit editions of Outlook 2016 are affected.

Security researcher Kevin Beaumont argued that Microsoft should provide more detail in its advisory due to the gravity of Outlook not sending encrypted email for six months.

SEC-Consult says Microsoft should provide assistance to users explaining remediation steps for any affected unencrypted email sent during the period. 

"Unfortunately there is no easy solution to remediate the impact of this vulnerability. In cases where mails have been send to third parties ... remediation is not possible by the sending party, since the sender has no authority over the recipient’s mail infrastructure. 

"It is the responsibility of the vendor (Microsoft) to provide guidance to remediate the risk of unintentionally unencrypted past mails," the security firm wrote. 

CSO Online has asked Microsoft whether it will be providing more information to affected Outlook customers. We'll update the story if we receive a response.