Microsoft Outlook has a critical vulnerability that could lead to unauthorized access and data leakage

marry 11.07.2024, 11:30 AM

Security researchers from Morphisec have discovered a critical vulnerability, CVE-2024-38021, that affects most Microsoft Outlook applications.

It’s a zero-click RCE (remote code execution) vulnerability, which Microsoft patched this week. It does not require any authentication, which distinguishes it from the previously disclosed vulnerability CVE-2024-30103, which required at least an NTLM token.

If exploited, CVE-2024-38021 could lead to data leakage, unauthorized access, and other malicious activities. Microsoft rated this vulnerability as “important” and highlighted the difference between trusted and untrusted senders.

For trusted senders, the vulnerability requires no user interaction, and for untrusted senders, it requires user interaction with one click.

Morphisec, which discovered the flaw and issued a warning about it on July 9, called on Microsoft to change the vulnerability’s classification to “critical” because it reflected a higher assessed risk.

The researchers agreed with Microsoft that this vulnerability is more complex than CVE-2024-30103, making immediate exploitation less likely. However, combining it with another vulnerability could simplify attacks.

The vulnerability was reported to Microsoft on April 21, which confirmed it on April 26 and patched it on July 9 as part of a package of updates that the company releases on the second Tuesday of the current month.

To mitigate the risk, it is important to update all Microsoft Outlook and Office applications with the latest patches. In addition, it is essential to implement robust email security measures, such as disabling automatic email review and educating users about the risks of opening emails from unknown sources.

Photo: Ed Hardie | Unsplash