Exploitation of Microsoft OME bug may expose encrypted data

SecurityWeek reports that Microsoft Office 365 Message Encryption is being impacted by a vulnerability within the Electronic Codebook it uses that could result in the exposure of certain structural data related to emails. "Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate," said WithSecure researcher Harry Sintonen, who identified and reported the flaw to Microsoft, which rewarded him $5K for the discovery. Despite providing an award for the bug discovery, Microsoft has deemed the flaw not sufficient enough to be considered for security servicing. "Any organization with personnel that used OME to encrypt emails are basically stuck with this problem. For some, such as those that have confidentiality requirements put into contracts or local regulations, this could create some issues. And then of course, theres questions about the impact this data could have in the event its actually stolen, which makes it a significant concern for organizations," said Sintonen, who urged against OME usage for sensitive file encryption.