S/MIME (Secure/Multipurpose Internet Mail Extensions) is a protocol for sending digitally signed and encrypted messages. So far, so good. Unfortunately, if you use Microsoft Outlook to send secure emails, any set-up employing S/MIME may not be encrypted after all – leaving the email contents wide open to snoopers.
The trouble stems from the fact that Outlook emails go out in both encrypted and unencrypted form. Fortunately, this problem only manifests itself under certain circumstances – for instance only ‘sent’ emails in plaintext are vulnerable.
Researchers stumbled across the leak by chance in May this year and alerted Microsoft, who quietly issued the necessary fix. However, it is not clear whether the bug affects all Outlook versions or just ones released since its discovery. To be on the safe side, anyone using S/MIME should treat all correspondence as potentially compromised.