All Outlook for Windows have a critical bug which makes it too easy for any hacker to gain access to a computer. It just needs a simple link clicked from an email to bypass Office Protected View protections, even from the Preview pane. So all Outlook’s should be updated asap.
Microsoft rates the security bug as ‘Critical’, a more accurate word would be ‘Embarrassing’. The nickname is ‘MonikerLink’
Originally Microsoft said this bug was being ‘Exploitation Detected’ meaning it was being used by hackers. Now they’ve reversed that and say ‘Exploitation Unlikely’, though it’s not clear how they can say that given how simple the hack is.
Some security problems involve sophisticated code but all you need for this bug is an exclamation point! (literally). The security expert, Haifei Li (from Check Point) says:
“The crazy part for me when discovering the issue is that this is a very easy-to-find problem but overlooked for like decades – nothing special, I just typed the “!” in hyperlinks on Outlook.”
Source: Haifei Li on Twitter/X
#MonikerLink in action
A simple example of the security bug is this link
file:///\\10.10.111.111\test\test.rtf!somethingAll that’s needed to bypass Microsoft’s much hyped security is the exclamation mark after the file name plus some random text.
“The key point here is the special exclamation mark “!”, which changes the behavior of Outlook.”
Source: CheckPoint.com
It seems Outlook considers the ! an indicator that it’s a ‘Moniker Link’ (hence the nickname for the exploit).
Long-standing bug ignored
The bug is in the long-standing MkParseDisplayName API and, according to CheckPoint, could have sitting there for decades.
Worse, Microsoft itself published a security warning about the API calls which perhaps the Outlook team has overlooked?
Yet again Microsoft’s promises about security audits on current and past software fall short.
Kudos to Check Point and Haifei Li for finding and reporting this nasty. They warn that Moniker Link security problems might exist in other software that relies on the same API.
How to protect against MonikerLink
All Outlook for Windows releases are affected and all supported versions need updates to protect against MonikerLink.
Microsoft 365
Office 2021, Office 2019, Office LTSC
All ‘Click to Run’ modern releases of Office/Microsoft 365 should be updated via File | Account | Update | Update Now.
The software might have already been updated in the background but it’s safer to manually update, even if just to see the reassuring message that the software is up to date.
Office 2016
Any Office 2016 releases using ‘Click to Run’ install should be updated automatically, just like Microsoft 365 and other modern Office releases.
It’s more complicated for Office 2016 ‘MSI’ users but happily all five separate patches should be installed via Microsoft Update (the usual way to update Office 2016)
If you don’t use Microsoft Update, here are the links to the individual patches. Why, oh why does it take FIVE separate patches to fix one API bug?
64-bit
Microsoft supplies these links for 64-bit Office 2016 patches
32-bit
Microsoft supplies these links for 32-bit Office 2016 patches
Office 2013, Office 2010
These and other Office releases are out of support and will not be fixed, even for such a long-standing and too simple security bug. See Microsoft Office support end dates checklist
