In brief: Users of the Outlook desktop client should download Microsoft's latest Patch Tuesday updates, as they address a serious vulnerability that could grant attackers deep access to targeted systems. The exploit requires little to no action from victims and affects most Outlook applications.
Recent Windows updates aim to fix, among other issues, a severe security flaw in Microsoft Office that could grant hackers remote code execution privileges on affected systems.
The exploit, labeled CVE-2024-3802, received an "important" security rating from Microsoft. However, the Morphisec researchers who reported it to the company believe it should be rated "critical." The discrepancy arises because attacks are zero-click if they come from trusted senders but require at least one click from the target if sent from untrusted sources.
This means that a hacker who steals an Outlook account could use the vulnerability to access the PCs of that account's contacts without them clicking on anything. Successful attackers could read, write, and delete files on infected systems. Although malicious links can bypass Microsoft's Protected View Protocol system, viewing emails in the Outlook Preview Pane is safe, according to Microsoft.
Morphisec discovered the flaw by reverse engineering Outlook and reported it to Microsoft in April. The company fixed it with the June 9 Patch Tuesday updates.
The research group will release the technical details of the exploit at the DEF CON 32 conference in Las Vegas, which runs from August 12 to 13. The presentation will also cover a similar recent Outlook vulnerability labeled CVE-2024-30103. Additionally, Morphisec plans to present its technical findings at a virtual threat presentation on August 15 at 1 PM ET.
Users should ensure critical software is updated and practice proper safety when checking email. Although Microsoft said the preview pane isn't a vulnerable threat vector in this case, it's always safer to deactivate it whenever possible. Users should also be cautious when opening emails from unrecognized sources.
Microsoft is still investigating another exploit discovered last month that enables a malicious hacker to impersonate any Outlook account, but it only works when emailing other Outlook users. The researcher who uncovered the vulnerability encountered a surprising amount of controversy after Microsoft initially declined to examine the issue because they couldn't reproduce it.
After exposing the case on Twitter, the researcher was met with hostility but successfully convinced Microsoft to open the case. It remains unclear when a fix will arrive.