Skip to main content

Security Alert: Critical Outlook for Windows vulnerability

Date:
2023-03-17 13:27:00
Status:
Closed
Brief Description:
Microsoft has published updates to Microsoft Outlook for Windows operating systems that includes an update for a critical security vulnerability. Patch as soon as possible.
Current Status:
N/A
Services Affected:
Certified Desktop
Full Description:
Microsoft has published updates to Microsoft Outlook for Windows operating systems that includes an update for a critical security vulnerability. Patch as soon as possible.

A critical-severity vulnerability exists in Microsoft Outlook for Windows that can allow an attacker to escalate privileges by sending a crafted message with a universal naming convention (UNC) path pointing to an attacker-controlled server message block (SMB) server on TCP port 445. No user interaction is required for the vulnerability to be exploited. Microsoft states there is known exploitation of this vulnerability.

All currently supported versions of Microsoft Outlook for Windows are impacted: 2013, 2016, 2019, LTSC 2021, and Microsoft 365 Apps/Office 365 update channels.

Microsoft Outlook for non-Windows platforms is not impacted by this vulnerability.

For Certified Desktop customers:
Many Microsoft Outlook for Windows clients have already automatically updated. Updates will be made available today, Friday, March 17, with an installation deadline of 4:00 pm on Monday, March 20 for any remaining clients that have not updated.

For unmanaged Windows computers:
Apply the March 14, 2023 available updates for Microsoft Outlook for Windows. Refer to the “Microsoft Office Release Notes” link below for version numbers.

References:
Microsoft MSRC - CVE-2023-23397: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397
Microsoft Office Release Notes: https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates
Microsoft MSRC Blog: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
Bleeping Computer: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-outlook-zero-day-used-by-russian-hackers-since-april-2022/
CIT TDX ID: