Critical Bug in Outlook

[BU508A]

stumbled over this a few minutes ago:

https://infosec.exchange/@briankrebs/111931702735845171

Quote:
"Heads up: Microsoft has updated its security advisory for the critical Outlook bug they patched on Tuesday, the one that can be exploited just by a malicious message being viewed in the preview pane. They're now saying it's under active attack.

This remote code execution vulnerability is assigned a CVSS3.1 (badness) score of 9.8."

[eTobey]

I wonder when the corresponding feature, that allows this, was introduced. Any idea?

[coppercone2]

haha 4 years of asking if i checked my email well no I am keeping your servers safe

[Halcyon]

Good find! Thankfully it's limited to older versions of Outlook. If you're one of these users, update straight away!

[SeanB]

Yet how many enterprise users or business users ever update Outlook, especially if the have older versions that "still work" and are paid for, not the current rental option. I know many government offices still use Outlook 2002, with it never having had any patches or updates applied, and there are still a good number of places running on XP, including a lot of government offices.

[eTobey]

haha 4 years of asking if i checked my email well no I am keeping your servers safe

If you would use some things like "," ".", then one may understand what you are writing.

[SiliconWizard]

Do people still use Outlook?

[Bud]

You forget to post the update. MS just admitted it is not an issue.

Feb 14, 2024
Mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed. Reverting values to no

[Halcyon]

You forget to post the update. MS just admitted it is not an issue.

Feb 14, 2024
Mistakenly updated exploited flag and exploitability assessment to indicate exploitation existed. Reverting values to no

[Halcyon]

Looks like it has been actively exploited.

https://twitter.com/xaitax/status/1759318090788037093

[nightfire]

Yes, lots of them. In private, my stuff is web-based or on alternative mailclients, but in a corporate environment, that is centered around a windows domain, you quite often have an exchange server and Outlook as its native and natural client.

I tried to pitch some proposal to replace the Exchange system at my workplace last year, but quickly realized that all the alternatives in the Linux world like Zimbra lacked some features or functionality- so boss did not approve of this.

[Halcyon]

Yes, lots of them. In private, my stuff is web-based or on alternative mailclients, but in a corporate environment, that is centered around a windows domain, you quite often have an exchange server and Outlook as its native and natural client.

I tried to pitch some proposal to replace the Exchange system at my workplace last year, but quickly realized that all the alternatives in the Linux world like Zimbra lacked some features or functionality- so boss did not approve of this.

Hosting your own Exchange servers is a big old-school these days, however I can understand why large businesses haven't moved over to something like M365 yet. It would be a huge undertaking, but it's bound to happen one day. Microsoft wants everyone in the cloud, whether it be for email, office applications or Windows itself.

[nightfire]

Lets say, in some environments it is becoming the new "modern-School"- because the disadvantages of being trapped in a cloud service and costs become more and more visible.

My company also is based in EU and has some "KRITIS" customers. Therefore we are working in an environment with some enhanced data security and privacy guidelines, where a move to MS Cloud would put lots of things in a legal grey area.
Why? Simply because MS in their glossy papers claim that of course they would honor the EU law such as GDPR, but the formulations in their terms of usage and other contracts (which are the legally binding type) do not speak in such a struct manner. Also it is known that a US-based company in interest of national security HAS to abide to government orderings when told to do so.

And as long a company can not get rid of their existing exchange servers infrastructure (often due to political reasons within management), it is safer to keep the systems on-premise or in a hosted datacenter where one has full authority over the systems.

[Halcyon]

Sure and I fully get your points. There are advantages and disadvantages of both on-prem vs. cloud solutions. It just depends on your company and requirements.

I just foresee a day where on-prem Exchange will be no more.