You are here

HomeJohn Lister › Outlook Users Warned Of Major Bug

Outlook Users Warned Of Major Bug

John Lister's picture
by John Lister on June, 28 2024 at 01:06PM EDT

This month's Microsoft "Patch Tuesday" update includes a fix for a major threat in Outlook. The bug means simply opening an email can trigger the attack. The update should have been applied to most systems by now, but some users may have shut off Windows Update, in which case it is recommended to re-enable and patch immediately.

The threat, discovered by security company Morphisec, is a remote code execution vulnerability. That's particularly nasty as it gives an attacker the ability to remotely operate on the victim's computer. They could then spread malware, install ransomware or attempt to retrieve sensitive data.

Morphisec says it worked with Microsoft after discovering the problem and didn't go public until Microsoft had both developed and released a fix. It's keeping some of the technical details of the bug under wraps until a security conference later this year. (Source: morphisec.com)

No Clicks Needed

It did reveal that the vulnerability becomes active when a user opens a compromised email in "most Microsoft Outlook clients." It doesn't require the user to open an attachment or click a link.

That's particularly dangerous as some Outlook clients are set to automatically open the first email in an inbox when they startup. That could also bring annoyance as it would encourage attackers to flood potential victims with emails to increase their chance of being first in the inbox.

Microsoft has given the bug the reference number CVE-2024-30103 and issued a fix in the June 2024 Security Update. That started rolling out automatically on June 11 in the usual slot of the second Tuesday of the month.

Hackers Not Yet Aware

It's ranked the bug as "important" rather than the top level of "critical". That's mainly because it doesn't yet have any evidence that any hackers are actively exploiting the bug. Of course, that's likely to change now it's become public knowledge. (Source: microsoft.com)

While Microsoft always advised having security updates set to automatically download and install, it is possible to have them set to manual download only. Users who've gone for option should install the fix immediately if they use Outlook.

What's Your Opinion?

Do you use Outlook? Do you have automatic updates switched on? Should Microsoft do more to publicize such bugs and fixes?

Filed under:
Security
| Tags:
microsoft
,
bug
,
security
,
fix
,
outlook
,
CVE-2024-30103
Rate this article: 
Average: 5 (7 votes)

Comments

drobinson_nc_16614's picture

Submitted by drobinson_nc_16614 on Sat, 06/29/2024 - 09:14

I have automatic updates turned on, but, when I check for updates, there is always a security update available for download.

Need Help? Ask!



My name is Dennis Faas and I am a senior systems administrator and IT technical analyst specializing in cyber crimes (sextortion / blackmail / tech support scams) with over 20 years experience; I also run this website! If you need technical assistance , I can help. Click here to email me now; optionally, you can review my resume here. You can also read how I can fix your computer over the Internet (also includes user reviews).

We are BBB Accredited

We are BBB accredited (A+ rating), celebrating 21 years of excellence! Click to view our rating on the BBB.