Article Details
Scrape Timestamp (UTC): 2024-04-04 19:16:11.424
Original Article Text
Click to Toggle View
Microsoft fixes Outlook security alerts bug caused by December updates. Microsoft has fixed an issue that triggers erroneous Outlook security alerts when opening .ICS calendar files after installing the December 2023 Outlook Desktop security updates. The December Patch Tuesday security updates behind these inaccurate warnings patch the CVE-2023-35636 Microsoft Outlook information disclosure vulnerability, which attackers can exploit to steal NTLM hashes via maliciously crafted files. These credentials are used to authenticate as the compromised Windows user in pass-the-hash attacks, to gain access to sensitive data or spread laterally on their network. Microsoft 365 users impacted by this issue see dialog boxes warning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" when double-clicking ICS files saved locally. "This behavior is not expected when opening .ICS files. This is a bug and will be addressed in a future update," the Outlook Team said in February when Microsoft first acknowledged this known issue. Microsoft has now found a fix for this issue and is shipping it with Outlook for Microsoft 365 Version 2404 Build 17531.20000 in the Beta Channel. Those affected can test the fix if they're in the Office Insider Channels. Current Channel users can expect to receive a fix for the issue on April 30th. Once the fix has been tested in production, it will be backported to Version 2402 for the Semi-Annual Enterprise Channel (Preview) during the June 2024 Patch Tuesday. Until the fix is released to all affected users, those who are experiencing the issue can use a registry key to temporarily disable the erroneous security notifications. However, it's important to note that once this workaround is deployed, you'll also stop receiving security prompts for all other potentially dangerous file types. To apply the workaround, you have to add a new DWORD key with a value of '1' to: Affected Outlook users can also disable the warning dialogs by following the instructions in the 'Enable or disable hyperlink warning messages in Office programs' support document. Redmond fixed another known Outlook issue last month, causing some Outlook desktop clients to stop syncing to email servers via Exchange ActiveSync. The company also addressed a bug behind Outlook.com connection issues on desktop and mobile email clients in February.
Daily Brief Summary
Microsoft has resolved an issue causing false security alerts to pop up in Outlook when opening .ICS calendar files after December 2023 updates.
The bug was introduced following an update that patched the CVE-2023-35636 vulnerability, which could be exploited to steal NTLM authentication hashes.
Users received misleading warnings about the potential security risks of certain locations when accessing .ICS files.
The fix is currently available for Microsoft 365 users in the Beta Channel, with a broader release planned for April 30th and backporting in June 2024.
As a temporary measure prior to the fix, users could disable the false alerts via a registry key, but were cautioned as this would also disable warnings for other potentially unsafe file types.
Microsoft recently fixed other Outlook-related syncing issues with email servers and connection problems on Outlook.com for both desktop and mobile email clients.