There’s another security bug in Windows, embarrassing for Microsoft because it was caused by their own March fix for another security bug in Outlook! That means anyone with Outlook for Windows or Windows should ensure they have the latest updates. This is another ‘zero-click’ Outlook bug that can infect your computer without any action by you, the user.
In short: update Windows and Outlook now to get the latest fixes for dangerous and easily used security holes.
Back in March we told you about the Outlook bug which allowed an reminder to be sent with a custom sound. That sound setting could, amazingly, link to a web site and run code on your computer.
As we said at the time “Yes, it’s possible for the sender of a message to set the reminder sound on the receivers computer. Strange, but true.”
This wasn’t a theoretical problem, Russian hackers had been using this security breach for at least six months before Microsoft acted.
Patching the security bug
Ben Barnea at Akamai looked at Microsoft’s fix and discovered a problem. There’s a way to trick Windows into thinking that a remote (web) path is really a safe local path. In tech speak there’s a bug in MapUrlToZone, a commonly used Windows API call.
So now we have what Microsoft calls “Windows MSHTML Platform Security Feature Bypass Vulnerability” or CVE 2023-29324.
Microsoft rates the complexity of the security bug as ‘Low’, meaning its relatively easy to implement. But the severity is rated ‘Important’. If that’s not enough, no special user privileges (like admin level access) or action is required to be infected.
What to update – part 1 – Outlook
If you haven’t updated Outlook for Windows since March, please do it now.
That’s for all Outlook for Windows from Outlook 2013 onwards; Outlook 2016, 2019, 2021, LTSC and Outlook 365
CVE-2023-23397 has the list of updates available but it’s easier to just force an update from File | Account | Update | Update Now to get any and all outstanding patches.
What to update – part 2 – Windows
The Outlook patch takes care of the original ‘reminder sound’ problem, now to fix the bug in the Windows API.
All supported Windows need updating:
- Windows 11 – all including ARM versions
- Windows 10 – all including ARM versions
- Windows Server 2008 and later; 2012, 2016, 2019 and 2022.
CVE-2023-29324 has details of individual update but again, it’s easier to just force a Windows Update (from Settings) and get all outstanding updates.
Internet Explorer too
The Windows updates include a fix for Internet Explorer 11. Even though IE is ‘deprecated’ in favor of Microsoft Edge, IE is still widely used.
For most people the regular updating will include the Internet Explorer fixes. But some admins apply only security updates to Windows Server 2008 and 2012. On those systems the IE Cumulative update has to be applied separately. CVE-2023-29324 has links to the Security only and IE updates.
How Microsoft left an Outlook security hole that’s way too easy for hackers
Critical Outlook security bug now patched after 11 months
Zero-day security hole in Word, Microsoft very slow to act