Re: Outlook 98 Security "Feature"

From: KC Smith (kcsmithat_private)
Date: Thu Feb 11 1999 - 15:38:33 PST

Next message: debian-security-announceat_private: "[SECURITY] New versions of proftpd fixes buffer overflow"

Previous message: aleph1at_private: "ACFUG List: Alert: Allaire Forums GetFile bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This bug has been fixed in Outlook2000.

The problem had to do with where Outlook got the recipient's email address -
on the reply note, it already had the email address so it didn't look the
recipient up in the contacts folder, which is where the cert is stored.

The official workaround for Outlook98 is as Jason describes below, if you
reply and then re-select the recipient from your contacts folder, it will
find the cert and encrypt the mail.

- KC Smith
Outlook Test


> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Jason Witty
> Sent: Thursday, January 21, 1999 2:24 PM
> To: BUGTRAQat_private
> Subject: Re: Outlook 98 Security "Feature"
>
>
> I have noticed this same type of behavior using Outlook '98 and a
> Verisign Personal Certificate.  If, however, you do the following, it
> will encrypt the reply:
>
> 1) Ensure the recipient is listed in your local contacts folder, and
> that you have their public key (certificate).
> 2) When replying, erase the TO: field.
> 3) Click on the TO: button and change the "Show names from the:" box to
> read "Contacts".
> 4) Select that person's alias form the local contacts folder, and click
> the "To->" button.
> 5) Send the message
>
> I realize this is highly "cludgy", but it seems to work.  Hopefully
> Micro$oft really IS working on a fix..........
>
> Jason
>
> Paul Leach wrote:
> >
> > > -----Original Message-----
> > > From: Todd Beebe [mailto:toddat_private]
> > > Sent: Saturday, January 16, 1999 6:57 PM
> > > To: BUGTRAQat_private
> > > Subject: Outlook 98 Security "Feature"
> > >
> > >
> > > The basic problem is "replying to an encrypted email fails".
> > > Heres what I
> > > initially sent to Microsoft on Sept. 11, 1998
> > >
> > > ***Start incident to Microsoft***
> > >
> > > After successfully receiving incoming email which is signed and
> > > encrypted(Using Verisign Certificates on both ends), the
> > > following error
> > > dialog box appears when trying to send the reply(default
> > > action is to both
> > > sign/encrypt outbound email):
> > >
> > >   ERROR: Non-Secure Recipients
> > >
> > >   None of the recipients can process an encrypted message.
> > > You can either
> > > proceed with an unencypted message or cancel the operation.
> > >
> > >   [Don't Encrypt Message] [Cancel]
> > >
> > > ***End incident to Microsoft***
> > >
> > > I don't think an encrypted email that I receive, should be
> > > unencrypted when
> > > I reply, and require me to Forward the reply to any and all
> > > recipients.
> > > Shouldn't the default be to encrypt all replies to encrypted email?
> >
> > Since the error message from Outlook means that it can't find
> the keys of
> > any of the recipients in order to encrypt the reply, exactly
> _how_ do you
> > expect it to do so?
> >
> > It appears that Outlook indeed wants to encrypt the reply, as
> you desire,
> > and can't. So, there may be a bug here, but I seriously doubt that it is
> > what you claim.
> >
> > Paul
>

Next message: debian-security-announceat_private: "[SECURITY] New versions of proftpd fixes buffer overflow"
Previous message: aleph1at_private: "ACFUG List: Alert: Allaire Forums GetFile bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:33:51 PDT