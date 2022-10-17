Security researchers from WithSecure have discovered an unpatchable vulnerability in Microsoft Office 365 Message Encryption (OME) that lets hackers infer the contents of encrypted messages.

OME encrypts sent or received emails through the Electronic Code Book (ECB) mode, considered a broken or risky cryptographic algorithm.

“This mode is generally insecure and can leak information about the structure of the messages sent, which can lead to partial or full message disclosure,” said WithSecure.

BleepingComputer reported the issue with ECB is that repetitive areas in the plaintext data would have the same encrypted result when the same key is used.

That results in a pattern that makes it easy for malicious actors to perform cryptanalysis on encrypted emails.

“An attacker with a large database of messages may infer their content (or parts of it) by analysing relative locations of repeated sections of the intercepted messages,” WithSecure said.

Attackers would require access to previously-leaked emails to exploit the vulnerability.

“More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on email archives stolen during a data breach, or by breaking into someone’s email account, email server or gaining access to backups,” said the researcher who discovered the flaw, Harry Sintonen.

Microsoft has not patched the problem in 9 months

Sintonen reported the vulnerability to Microsoft on 11 January 2022 and received a $5,000 bounty for his efforts.

However, after repeatedly following up with Microsoft about resolving the issue, the company finally said it did not consider the vulnerability met the bar for security servicing, nor was it considered a breach.

“No code change was made, and so no CVE [common vulnerabilities and exposure] was issued for this report,” Microsoft said.

“The root cause for the vulnerability appears to be a prior decision to use Electronic Codebook (ECB) mode of operation with message encryption and then maintaining compatibility with this poor decision,” Sintonen said.

Sintonen said that end users or administrators of the email system had no option to enforce a more secure mode of operation.

“Since Microsoft has no plans to fix this vulnerability, the only mitigation is to avoid using Microsoft Office 365 Message Encryption,” Sintonen advised.

The weakness in ECB first came to light following the 2013 Adobe data breach.

In that instance, researchers determined millions of passwords were leaked due to the use of ECB.

Its weakness was highlighted again in 2020 after researchers found that popular video communications app Zoom used the same 128-bit key for encrypting video and audio using the algorithm with ECB mode.