Hello, welcome to the Thursday, October 12th, 2017 edition of the Sandin and Storm Center's

Stormcast.

My name is Johannes Ulrich Entertainment recording from Singapore.

Let's start with a little bit additional information about this week's Patch Tuesday.

First of all, there was one update that's pretty significant that didn't really

point out when I sort of discussed it earlier this week. And that's S-Mime in Microsoft Outlook.

S-Mime is typically used to encrypt emails and under certain conditions Microsoft Outlook

will encrypt the email but retain an unencrypted copy of the email and send both to the recipient.

Typically you're using S-MIME in order to accomplish end-to-end encryption between the sender and the recipient.

It's different than TLS encrypts data as it's being transferred from the sender to the mail server or between mail servers.

But the TLS does not actually encrypt the file as it's being saved by the mail client.

S-Mime is different in that way and as such it's usually considered more reliable and secure.

The problem here with Outlook was that if you sent an email in plain text and then encrypted it using S-Mime and Outlook,

it actually sent it as a multi-part message.

One part was properly encrypted, but the original content was just included as a second part

to the message. So the recipient would open the message, it second part to the message.

So the recipient would open the message, it looked encrypted to the recipient, but really wasn't.

Apparently this has been going on for about half a year.

Now if you send emails as HTML emails, then the encryption worked properly. By default, Outlook does send emails as HTML,

so those emails were not affected, but if you reply to a plain text email, then Outlook usually

uses plain text. Also, if the message was sent to a remote user that used a different exchange

server, then typically the unencrypted part got removed. So for the most part, disaffected

...