In January 2022 I discovered that #Microsoft #Office365 Message #Encryption (OME) utilized Electronic Codebook (ECB) mode of operation. I reported this, got paid a $5000 bounty and then things fell dead silent. By autumn I tried to follow up on this, and after numerous attempts to inquire about the schedule for a fix I was told that no fix was planned.
Luckily, Microsoft seems to have changed their mind about this, and the fix was applied in late 2023, after all:
#vulnerability #infosec #cybersecurity
It’s disheartening that supposedly the best of the best can struggle with cybersecurity basics. It doesn’t leave much hope for the rest of us.
I think you’re very misguided if you think Microsoft is the best of the best at anything but driving their customers away. Specifically, power users.
@harrysintonen@infosec.exchange I remember this! Is this the security advisory? https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation
@screaminggoat@infosec.exchange Yep, that’s the one.
