Microsoft Office 365 Vulnerability Could Allow Sidestepping of Email Encryption (venturebeat.com) 21
"A researcher from cloud and endpoint protection provider WithSecure has discovered an unpatchable flaw in Microsoft Office 365 Message Encryption," reports VentureBeat. "The flaw enables a hacker to infer the contents of encrypted messages."
OME uses the electronic codebook (ECB) block cipher, which leaks structural information about the message. This means if an attacker obtains many emails they can infer the contents of the messages by analyzing the location and frequency of patterns in the messages and matching these to other emails. For enterprises, this highlights that just because your emails are encrypted, doesn't mean they're safe from threat actors. If someone steals your email archives or backups, and accesses your email server, they can use this technique to sidestep the encryption.
The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.
WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.
The discovery comes shortly after researchers discovered hackers were chaining two new zero-day Exchange exploits to target Microsoft Exchange servers.
WithSecure originally shared its discovery of the Office 365 vulnerability with Microsoft in January 2022. Microsoft acknowledged it and paid the researcher through its vulnerability reward program, but hasn't issued a fix.
Not surprised, but... (Score:2)
Re: (Score:2)
It's secure enough for the accountants and that's all that matters.
Microsoft's accountants, at any rate.
Re: (Score:2)
How on earth did they manage to get ECB for email encryption? Neither the S/MIME nor PGP formats support ECB, you'd have to have invented your own email encryption format to be this broken.
Which admittedly the XML folks did, but that's not normally used to encrypt email.
Re: (Score:3)
How on earth did they manage to get ECB for email encryption? Neither the S/MIME nor PGP formats support ECB, you'd have to have invented your own email encryption format to be this broken.
Hmm. You may have found the real reason they are doing it: intentional incompatibility! Of course, nobody with the least clue about cipher modes would ever use ECB, and hence it is not in any of the standards. But MS has proven time and again they do not have the least clue about many things they do and they have demonstrated time and again that they prefer to be incompatible to everybody else.
Just for reference, this explains why ECB is a bad idea on a level any random moron can understand: https://en.wiki [wikipedia.org]
Re: (Score:2)
Just for reference, this explains why ECB is a bad idea on a level any random moron can understand: https://en.wikipedia.org/wiki/... [wikipedia.org]
In other words, it's a good clear explanation. Why do you have to call people names all the time? Slashdot, please pray for this obnoxious asshole.
Waitâ¦ECB? (Score:2)
Who the F still encrypts with AES-CBC?
Re:Waitâ¦ECB? (Score:4, Funny)
Microsoft apparently. It is costly to change software to be up to the latest standards of cryptography. I'm sure Microsoft will do some analysis and say on 1 out of 2^N customers will be impacted. That too is much cheaper than fixing the bug.
JoshK.
Re: (Score:2)
I'm sure tobacco companies did some analysis and claimed only 1 out of 2^N customers might become ill from using their product. That lie, was much cheaper than admitting the truth of the matter.
Slightly modified to reflect history.
As an obediently addicted society growing more and more reliant on massive providers of information and automation, we should probably do something about those shitty laws that allow the factor of cost to be abused as a defense, coupled to fines that are quite literally worth th
Re: (Score:2)
What was good for your dad is good for you!
Re: (Score:2)
What was good for your dad is good for you!
Enjoy the great taste of Charleston Chew!
Re: (Score:2)
AES-CBC is not a problem is used right. This is about ECB.
ECB (Score:2)
uses the electronic codebook (ECB) block cipher
ECB is a block cypher?
I think we found the problem.
They are using ECB mode? WTF? (Score:3)
I expect MS to be completely incompetent, but that is a new level. In any reasonable crypto course, the one thing they tell you about ECB mode is to _never_, _ever_ use it. Typically they also show you the picture for ECB here: https://en.wikipedia.org/wiki/... [wikipedia.org]
Which should make it amply clear even to the most stupid person why ECB mode is a bad idea. I did not only show this to my students, they also had to do an exercise on it.
And then MS goes ahead and uses ECB. The mind boggles. These people really are the worst cretins out there in the software space whose software is actually used. MS has to _die_. The sooner the better.
Re: (Score:1)
https://it.slashdot.org/story/... [slashdot.org]
Re: (Score:2)
Odds on OME dates to a time before that had become common wisdom. It's still here simply because MS management decided that maintaining backwards compatibility and not inconveniencing users with having to convert all their old email was more important than the security risks involved.
Meh, use PGP or S/MIME (Score:2)
If you are sending anything secret or super sensitive by email then use PGP or S/MIME
No worries were I work (Score:2)
oh, please please.... (Score:1)
Tell me that the fix will make all .pst files unreadable and able to be deleted.
To the cloud! (Score:1)
I promise it's more secure than anything you can do on-premises.
NSA: whoops someone discovered our backdoor :( (Score:1)