A critical security bug in Outlook has now been patched by Microsoft, about 11 months AFTER hackers started exploiting the vulnerability. This is truly a serious security problem and it’s important to update your Microsoft Office now.
Even Microsoft rates this problem as Critical, this from a company that normally downplays any security problems.
Anyone with Office for Windows, from Microsoft 365 and Office 2021 back to Office 2013 should update their software right away.
Why Critical?
Usually, an infected email has to be opened for viewing or a link in the message must be clicked. At the very least, the email has to appear in the Reading/Preview Pane.
With the “Microsoft Outlook Elevation of Privilege Vulnerability” none of that is necessary.
The hack works when Outlook receives the message from the online mailbox. No reading, screen display or user action required.
Of course, online spam and virus filters are now checking for these malicious messages so they should not reach Outlook for Windows.
However, it’s much safer to patch Outlook to prevent similar exploits getting through.
Almost a year ‘in the wild’
As reported by Bleeping Computer, this Outlook security lapse has been used since mid-April 2022 to attack “fewer than 15 government, military, energy, and transportation organizations”.
Since many organizations don’t report (or even know about) successful attacks, that ‘fewer than 15’ number could be an underestimate.
The security patch was released on 13 March 2023, about 11 months after the bug was first exploited by criminals.
NTLM Relay attack
This Outlook security vulnerability is called an ‘NTLM Relay attack’. NTLM is a Microsoft system for authenticating and securing logins.
“ … emails that will cause a connection from the victim to an external UNC location of attackers’ control. This will leak the Net-NTLMv2 hash of the victim to the attacker who can then relay this to another service and authenticate as the victim”
Source: Microsoft
That means this security lapse is an ‘all Microsoft’ responsibility because both the NTLM system and Outlook are their products.
What to do
There are updates available for all versions of Office for Windows back to Office 2013.
Update your Microsoft Office now and the security fix will be installed, among other things.
Other Outlook’s for Mac, Apple, Android and in a browser are NOT affected.
Exchange Server systems also have updates.
More Info
Microsoft’s security report “Microsoft Outlook Elevation of Privilege Vulnerability” aka CVE-2023-23397.
Exchange Server admins should check a dedicated Microsoft page which includes a PowerShell script to find and remove any malicious messages in the mail store.
