Click on
File
Office Account (Bottom Left)
Office Updates
Update Now
Microsoft has confirmed that a critical Outlook vulnerability, rated at 9.8 out of a maximum 10, is known to have already been exploited in the wild. If you think that sounds bad, it get’s worse: the exploit is triggered upon receipt of a malicious email, and so is executed before that email is read in the preview pane. That’s right; this is a no-user-interaction required exploit. Here’s what we know about the new Microsoft Outlook zero-day.
What is CVE-2023-23397, the critical Microsoft Outlook zero-day vulnerability?
CVE-2023-23397 is a Microsoft Outlook elevation of privilege vulnerability that, according to the Microsoft Security Resource Center (MSRC), has already been used by a “Russia-based threat actor” in targeted attacks against government, transport, energy, and military sectors in Europe. Indeed, the Ukrainian Computer Emergency Response Team (CERT) is credited as reporting the zero-day to Microsoft.
Full technical details are, as yet, fairly thin on the ground. However, an MSRC posting says that the critical Microsoft Outlook vulnerability is “triggered when an attacker sends a message with an extended MAPI property with a UNC path to an SMB (TCP 445) share on a threat actor-controlled server. No interaction is required.” The posting continues to explain that the connection to a remote SMB (server message block) server sends the user new technology LAN manager (NTLM) negotiation message which is then relayed for authentication against supporting systems. “Online services such as Microsoft 365 do not support NTLM authentication,” the MSRC posting confirms, so are not vulnerable to this exploit.
What do you need to do now?
The good news is that the warning concerning CVE-2023-23397 coincides with the release of the latest Patch Tuesday round of security updates for Microsoft users. Applying the relevant patch is therefore recommended. That said, if your organization is unable to apply these security updates immediately, then Microsoft has published some workaround mitigations. Adding users to the Protected Users Security Group will prevent the use of NTLM for authentication, but Microsoft warns that this could “cause impact to applications that require NTLM.” Alternatively, you can block outbound TCP 445/SMB using a firewall or through VPN settings.