The Latest ‘Critical’ Microsoft Outlook Vulnerability: 5 Things To Know

Security researchers say the vulnerability is unusually dangerous and should be prioritized for patching.

Patch Now

Newly discovered vulnerabilities in software may be a daily occurrence, but some are a bigger problem than others. And by all indications, the zero-day vulnerability in Outlook that Microsoft disclosed earlier this week is a problematic one.

[Related: The Latest Zero-Day Vulnerabilities From Apple, Microsoft]

Security researchers say the privilege-elevation vulnerability in Outlook should be prioritized for patching, since the flaw is considered easy to exploit and is, in fact, being actively exploited. “We strongly recommend all customers update Microsoft Outlook for Windows to remain secure,” Microsoft said in a post Tuesday.

However, there’s evidence that even with the patch deployed, the critical-severity vulnerability can still be exploited under certain conditions. Microsoft acknowledged the possibility in a statement to CRN Friday, but noted that the technique for doing so, described by multiple security researchers, “requires an attacker to already have gained access to internal networks.”

The Outlook vulnerability was disclosed by Microsoft on Tuesday and is tracked at CVE-2023-23397. The company reiterated its call for organizations to patch the vulnerability in its statement Friday.

What follows are five things you need to know on the latest critical vulnerability in Microsoft Outlook.

Why It’s A Big Concern

The privilege-elevation vulnerability in Outlook has prompted calls for immediate patching on account of its unique qualities. Namely: “Unlike other exploits we’ve seen in the past, this exploit is particularly dangerous because no user interaction is required to trigger the exploit,” wrote John Hammond, senior security researcher at Huntress, in a blog post Friday. “Once an infected email arrives in a Microsoft Outlook inbox, sensitive credential hashes can be obtained.”

After the threat actor sends the malicious email, they’re able to capture what are known as Net-NTLMv2 hashes, a type of credential that can provide the attacker with authentication within Windows environments, Hammond said. “This allows threat actors to potentially authenticate themselves as the victims, escalate privileges, or further compromise the environment.”

Affected Versions

The vulnerability affects all supported versions of Outlook for Windows, according to Microsoft. Because browser-based Outlook and Microsoft 365 don’t support NTLM, they’re not vulnerable to the issue, according to Hammond. Outlook versions for Mac, iOS and Android are also not impacted by the issue, Microsoft said.

Easy To Exploit

The vulnerability has been rated as “critical” severity by Microsoft and is also considered a major concern because of how simple it is for an attacker to exploit. Dominic Chell, owner of consultancy MDSec, disclosed in a post the steps needed to exploit the Outlook flaw, concluding that the vulnerability is “incredibly easy to exploit” and that it should be prioritized for patching.

It’s Being Actively Exploited

The Outlook vulnerability is also being seen as problematic because it’s already been exploited by attackers. The flaw, in fact, was discovered and reported to Microsoft by the Ukraine Computer Emergency Response Team (CERT-UA). In a post, Microsoft said that its threat intelligence unit “assesses that a Russia-based threat actor used the exploit patched in CVE-2023-23397 in targeted attacks against a limited number of organizations in government, transportation, energy, and military sectors in Europe.”

In a post Friday, researchers from Deep Instinct reported that it has “found additional samples exploiting this vulnerability including the potential attack that was reported by CERT-UA.”

“The attacks on Romania, Poland, and Ukraine [leveraging the flaw] align with Russian interests, while the attacks on Jordan and Turkey might be related to a different threat actor,” Deep Instinct researchers said in the post.

Patch Not Sufficient?

Microsoft released a patch for the Outlook vulnerability on Tuesday as part of its monthly release of bug fixes, known as Patch Tuesday. However, some security researchers have determined that the patch is not enough. Chell, of MDSec, said in a tweet that “following some additional testing of #CVE-2023-23397 - I can confirm MS have only partially fixed this. You can still trigger auth to systems in trusted zones - ie other [Active Directory] joined systems, which can then be relayed for privilege escalation.”

Security researcher Will Dormann has reported having confirmed Chell’s findings as well. In order to exploit the flaw for privilege elevation on a patched system, an attacker would have to trigger the vulnerability via a local hostname in the network, Hammond said.

In response to an inquiry by CRN about the researchers’ findings Friday, Microsoft said in a statement that “the security update CVE-2023-23397 we released in March protects customers against the leak of NTLM hashes outside of their network. The technique described requires an attacker to already have gained access to internal networks. We encourage customers to apply the update to remain secure.”