Vigil@nce - Cisco IronPort Desktop Flag: unencrypted email sent
May 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
When the user wants to encrypt several emails via the Cisco
IronPort Desktop Flag plug-in for Microsoft Outlook, only the
first one is encrypted.
Severity: 2/4
Creation date: 11/05/2010
DESCRIPTION OF THE VULNERABILITY
The Cisco IronPort Desktop Flag plug-in can be installed on
Microsoft Outlook, in order to encrypt messages via Cisco IronPort
Encryption Appliance or Email Security Appliance. The user can
then click on the "Send Secure" button to encrypt an email and
send it.
However, due to an implementation error, if several email
composition windows are opened, only the first email is encrypted.
Other emails are sent unencrypted.
When the user wants to encrypt several emails via the Cisco
IronPort Desktop Flag plug-in for Microsoft Outlook, only the
first one is therefore encrypted.
Note: this is not a vulnerability which can be exploited by an
attacker, but a bug with an impact on security.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Cisco-IronPort-Desktop-Flag-unencrypted-email-sent-9638