- Summary
- Recommendations for UW students, faculty, and staff
- Technical details
- Things UW-IT will do
- Recommendations for IT Staff
- Resources
Summary
On March 14th, Microsoft disclosed a critical security vulnerability (CVE-2023-23397) that affects all supported versions of Microsoft Outlook for Windows. The vulnerability can be exploited with an email message or a calendar invitation, and ultimately, it allows adversaries to use your login credentials without even knowing your password.
- It does NOT affect online services such as Outlook Web Access (OWA) and Microsoft 365.
- It does NOT affect Outlook for Android, iOS, or macOS versions.
Microsoft has released an update to address this vulnerability as part of this month’s regular Patch Tuesday updates. If you are responsible for any non-UW managed Windows computers (including personal computers running Outlook), you should ensure this patch is applied as soon as possible.
Running Windows Update on these machines will apply patches for this vulnerability. The patches may also be downloaded individually at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 (under “Security Updates”).
Microsoft has also released a brief technical description of the vulnerability which can be found here:
https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/
Recommendations for UW students, faculty, and staff
- Use the browser to connect rather than your desktop Outlook client until your client is patched.
More info: Outlook on the web (aka OWA) – IT Connect (uw.edu) - Check for updates depending on your device or operating system.
More info: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 - Enable automatic updates, and ensure that your computer is updated after each update cycle.
Technical details
An attacker can exploit this vulnerability by sending an email message or calendar invitation that contains a link to an attacker-controlled Windows shared resource. Outlook automatically retrieves and processes the communication, which causes the victim’s NTLM hash to be sent to attacker-controlled resource, regardless of whether the victim opens the message or invitation. The attacker can then forward the victim’s NTLM hash to an exposed service that supports NTLM authentication on the victim’s device or network and authenticate to the service as the victim.
Vulnerability details:
- Exploitable over the network by a remote attacker
- Attack complexity is low, making exploitation more likely
- A proof-of-concept exploit has been disclosed, making widespread exploitation more likely
- No privileges or user interaction is required for exploitation
- Updates to mitigate the vulnerability are available from Microsoft
Things UW-IT will do
- Block Port 445 outbound. An emergency change was implemented during the event window in which network traffic destined for port 445 leaving the UW network was blocked. This change is permanent and is consistent with all U.S. major internet service provider practices. Contact ciso@uw.edu to discuss business process impacts.
- Computers managed by UW Managed Workstation Service will receive patches.
Recommendations for IT staff
- Immediately apply patches for all Windows machines you support.
- Follow recommended mitigations on the Microsoft Security Vulnerability page for CVE-2023-23397.
Resources
Sophos Naked Security blog: Microsoft fixes two 0-days on Patch Tuesday – update now!
Bleeping Computer: Critical Microsoft Outlook bug PoC shows how easy it is to exploit
Microsoft documentation:
Microsoft Mitigates Outlook Elevation of Privilege Vulnerability
Microsoft Outlook Elevation of Privilege Vulnerability
Release notes and descriptions for various Outlook versions:
- Release notes for Microsoft Office security updates, including MS 365
- Description of the security update for Outlook 2016
- Description of the security update for Outlook 2013: March 14, 2023