Microsoft working to fix Outlook encryption flaw
The company said it will be finding a solution to the iOS and Android bugs causing corporate data policies to be ignored
Microsoft is developing a solution to an encryption flaw in the Outlook Android and iOS apps that cause some devices to ignore IT department passwords and policies, including encryption.
The company said additional features will be rolled out in the next few months to heighten security for corporate IT departments, including the addition of PIN lock and new Exchange ActiveSync policies.
Dirk Sigurdson, director of engineering at Rapid 7's Mobilisafe uncovered the flaw, and demonstrated how encryption policies are being ignored on some mobile devices.
Sigurdson explained in a blog: "[With Outlook for Android and iOS] any ActiveSync policy defined on the server is completely ignored. Your company can define a sophisticated passcode or encryption policy that will have absolutely no impact on devices if this new email client is used by your employees. There are other potential security issues with Outlook as well, but this one I think is the most egregious.
"If your organisation is dependent on ActiveSync policies in anyway you should immediately block ActiveSync access to Outlook for iOS and Android," he advised.
Another security blogger, Rene Winkelmeyer, warned of a number of other corporate security flaws in the Outlook apps when they were first released in January. He explained that Microsoft allows users to share corporate mail attachments with personal accounts, share ActiveSync IDs across a single user's devices and shares these credentials with Microsoft.
"The only advice I can give you at this stage is: block the app from accessing your companies [sic] mail servers. And inform your users that they shouldn't use the app," he explained.
Four strategies for building a hybrid workplace that works
All indications are that the future of work is hybrid, if it's not here alreadyFree webinar
The digital marketer’s guide to contextual insights and trends
How to use contextual intelligence to uncover new insights and inform strategiesFree Download
Ransomware and Microsoft 365 for business
What you need to know about reducing ransomware riskFree Download
Building a modern strategy for analytics and machine learning success
Turning into business valueFree Download