Outlook Users Warned Of Major Bug

John Lister's picture

This month's Microsoft "Patch Tuesday" update includes a fix for a major threat in Outlook. The bug means simply opening an email can trigger the attack. The update should have been applied to most systems by now, but some users may have shut off Windows Update, in which case it is recommended to re-enable and patch immediately.

The threat, discovered by security company Morphisec, is a remote code execution vulnerability. That's particularly nasty as it gives an attacker the ability to remotely operate on the victim's computer. They could then spread malware, install ransomware or attempt to retrieve sensitive data.

Morphisec says it worked with Microsoft after discovering the problem and didn't go public until Microsoft had both developed and released a fix. It's keeping some of the technical details of the bug under wraps until a security conference later this year. (Source: morphisec.com)

No Clicks Needed

It did reveal that the vulnerability becomes active when a user opens a compromised email in "most Microsoft Outlook clients." It doesn't require the user to open an attachment or click a link.

That's particularly dangerous as some Outlook clients are set to automatically open the first email in an inbox when they startup. That could also bring annoyance as it would encourage attackers to flood potential victims with emails to increase their chance of being first in the inbox.

Microsoft has given the bug the reference number CVE-2024-30103 and issued a fix in the June 2024 Security Update. That started rolling out automatically on June 11 in the usual slot of the second Tuesday of the month.

Hackers Not Yet Aware

It's ranked the bug as "important" rather than the top level of "critical". That's mainly because it doesn't yet have any evidence that any hackers are actively exploiting the bug. Of course, that's likely to change now it's become public knowledge. (Source: microsoft.com)

While Microsoft always advised having security updates set to automatically download and install, it is possible to have them set to manual download only. Users who've gone for option should install the fix immediately if they use Outlook.

What's Your Opinion?

Do you use Outlook? Do you have automatic updates switched on? Should Microsoft do more to publicize such bugs and fixes?

Rate this article: 
Average: 5 (10 votes)

Comments

drobinson_nc_16614's picture

I have automatic updates turned on, but, when I check for updates, there is always a security update available for download.