Microsoft's flawed Outlook
A glitch has been discovered in Microsoft's Outlook 98 messaging software that lets replies to encrypted emails be sent back unencrypted, the company says.
The problem occurs when Outlook 98 users reply to an encrypted message sent by a user via a mail server other than Microsoft Exchange.
Outlook displays an incorrect warning that informs the sender that the recipient cannot read an encrypted message and gives the option to send it unencrypted or to cancel the transaction, according to a statement from Microsoft.
Microsoft said the problem is limited only to those customers using the corporate/workgroup configuration.
Microsoft said the glitch will be fixed in Outlook 2000, which is due to enter beta testing later this quarter.
Outlook 98, and the upcoming Outlook 2000, can both be configured in either Internet only mode--meaning for those using the email client for receiving messages through an ISP-- or the corporate/ workgroup mode where customers use Outlook in conjunction with the Exchange Server on the back end.
The reason Outlook incorrectly informs users that the recipient cannot read an encrypted message is that Outlook is not using the contact record containing the recipient's certificate to address the message, according to Microsoft.
Rob Enderle said such technology glitches tend not to put a damper on Microsoft's business. "It really depends on how painful the bug is. If it doesn't destroy data, or crashes whole systems, than there is little damage done to Microsoft."
Microsoft insists that the Outlook problem does not expose data, or information, without the user knowing. It is the choice of the user to either send the unencrypted response or not.
"To successfully send an encrypted reply in this situation, the sender must clear the pre-populated e-mail address and re-address the reply using the Outlook contact record containing the recipient's digital ID," according to a message sent by Microsoft's Outlook development team to CNET News.com.
As earlier reported, Outlook 98, along with three other popular email programs, were found to have a security hole that affects the way email clients handle file attachments with extremely long file names. A fix for the problem has been discovered and posted on the company's Web site.