Overnight Microsoft has released a critical advisory regarding a vulnerability in the Microsoft Outlook email software that can lead to credential theft. This vulnerability affects all Microsoft Outlook from 2013 onwards.

The vulnerability has a CVSS score of 9.8/10 and has as severity of critical due to the low complexity in which the attack requires to be executed. It is imperative that the Microsoft Office suite is updated to patch the vulnerability as soon as possible.

What is CVE-2023-23397?

CVE-2023-23397 is a critical zero-day vulnerability, affecting Outlook, Office, and Microsoft 365 Apps for Enterprise. The vulnerability enables privilege escalation and allows for the theft of LAN manager (NTLM) credentials using new technology. The vulnerability can be exploited without any user interaction and could potentially occur before a message is viewed in the preview pane.

The vulnerability can be exploited when reminders are triggered on a malicious message that has the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property configured with a universal naming convention (UNC) path of an attacker-controlled server message block (SMB) share.

An attacker, who is unauthenticated and remote, can send carefully crafted messages that connect to an external SMB server under their control. This would allow them to extract the user’s NTLM hash, which they could then use to authenticate with the user’s level of privilege after relaying the stolen hash to another service.

More information: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/

Full Office update instructions can be found here: https://support.microsoft.com/en-us/office/install-office-updates-2ab296f3-7f03-43a2-8e50-46de917611c5

Microsoft blog article: https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/