Microsoft has issued a stark warning to Outlook users worldwide, advising the 500 million people who rely on this popular email software to download a new update. Without taking action, Outlook users risk giving cybercriminals access to their computer a single click.
Security researchers at Morphisec discovered the troubling flaw, which affects approx everything versions of the Outlook application. After disclosing the vulnerability to Microsoft, the company released a patch and labeled the flaw as “significant” in its severity rating — something the team at Morphisec believes is underselling the threat.
“Given the broader implications of this vulnerability, particularly its zero-click vector for trusted senders and its potential for much broader impact, we have asked Microsoft to reassess the severity and label it as “Critical. This reassessment is critical to reflect the true risk and ensure that appropriate attention and resources are allocated to mitigation,” writes Michael Gorelik in the official blog of Morphisec.
Hackers could use the flaw within Outlook to “gain unauthorized access, execute arbitrary code, and cause significant damage without any user interaction,” the researchers warn. The fact that hackers don’t need to ask for authentication AFTER they’ve gained access to your system makes this vulnerability particularly dangerous “as it opens the door for widespread exploitation,” they add.
Once they have infiltrated your computer, hackers can install malware or ransomware from EVERYWHERE on the plan, delete files or monitor your activity on the screen. And all because you opened the wrong email in Outlook.
As we’d expect, researchers haven’t found out also lots of information about the bug.
This is by design, as millions are likely still vulnerable to the attack and, although Microsoft has confirmed that there is no evidence of hackers using the flaw in real-world attacks right now, it’s not a smart move to educate cybercriminals love to exactly HOW the bug works.
However, the security experts at Morphisec repeatedly refer to “trusted senders” in their warning to Microsoft. Email addresses on your safe senders list, which are never sent to the Junk folder – regardless of the content of the message, are particularly dangerous as hackers don’t need you to click anything to launch their attack using this new flaw.
If the email comes from an address that is not a trusted source, cybercriminals will need to trick you into making a single click to run the malware.
The Outlook vulnerability has been named CVE-2024-38021 by Microsoft, and the fix is included in the so-called Last Tuesday update — a regular package of security and bug fixes released on the second Tuesday of every month for Windows 10 and Windows 10 users. Windows 11 worldwide.
Most laptops and desktop computers will automatically update their operating system.
However, it is possible to speed up the process by going to Settings > Windows Updateand clicking on Check for updates to manually start the process.
The flaw discovered in Outlook shows the importance of regular patches and security fixes. This will take effect soon millions of PC owners who still rely on Windows 10which will stop receiving everything security fixes from Microsoft next year – if you are not willing to pay.
If you are unable to upgrade to Windows 11 due to the new system’s strict requirements, feel free to purchase one of the glossy sheets of new Copilot+ computers released by Microsoft, Samsung, Lenovo and othersand cannot afford to pay for additional security updates from Microsoft or a third party companyyour data will be at risk as soon as the next vulnerability is discovered within Windows 10 or a popular application, such as Outlook.
According to researchers at Morphisec, who discovered the flaw in Outlook, the issue affects almost all versions of the email client – something Microsoft has not denied in its public statements about the flaw.
ED HARDIE | SNAP
Microsoft’s Patch Tuesday release not only has the fix for the latest Outlook flaw, but it’s also packed with updates for 142 flaws, including two actively exploited and two publicly disclosed zero-days. The latter refers to a flaw that is already known to hackers, meaning it’s a race against time to ensure that as many people as possible update their computers to protect themselves against the ongoing attacks.
RECENT DEVELOPMENTS
Speaking to Forbes regarding the Outlook vulnerability, a Microsoft spokesperson said: “We greatly appreciate Morphisec for their research and for reporting it responsibly under a coordinated vulnerability disclosure. Customers who have installed the update are now protected.”