Windows admins plagued with issues after installing Outlook zero day patch
The patch comes along with Microsoft's monthly Patch Tuesday updates which fix 83 vulnerabilities and two total zero days
Windows users have reported a variety of problems when applying the latest Patch Tuesday updates from Microsoft.
The recent batch of updates saw fixes for 83 flaws in total, including two actively exploited zero-day vulnerabilities - one of which affected Outlook for several months between April and December 2022.
Tracked as CVE-2023-23397, this vulnerability was revealed to have been exploited by a hacker group with links to the Russian intelligence service, GRU. With a severity rating of 9.8, Microsoft advised admins to issue an immediate patch for the flaw.
However, users on the sysadmin Reddit community revealed they have encountered issues when patching, with some noting that Windows 11 devices have failed to authenticate with Outlook.
“Several of our Windows 11 PCs are not authenticating with Outlook (Microsoft 365) at all and the regular troubleshooting steps don’t fix it,” one user warned. “A profile reset was necessary, we found.”
“For CVE-2023-23397, in a test environment I added a user to the App Impersonation role, but when I run the script, it fails with a 401 unauthorised [error],” another added.
The source of this bug appears to be rooted in how admins are required to implement fixes for the Outlook vulnerability.
In its advisory, Microsoft said that users “must install the Outlook security update, regardless of where your mail is hosted (e.g. Exchange Online, Exchange Server, some other platform)”.
“But if your mailboxes are in Exchange Online or on Exchange Server, after installing the Outlook update, you can use a script we created to see if any of your users have been targeted using the Outlook vulnerability,” Microsoft added.
“The script will tell you if any users have been targeted by potentially malicious messages and allow you to modify or delete those messages if any are found.”
Microsoft noted that the script “will take some time to run” and advised that admins prioritise user mailboxes that are of “higher value to attackers”, such as executives, senior leadership personnel or admins.
Difficulties with the Outlook security update were not the only problems encountered by system admins. Other issues included:
- Inability to issue printer driver updates
- Failure to start Windows Deployment Services (WDS) after update reboots
- DCOM hardening measures preventing admins from turning off changes via the registry
- Microsoft Exchange workaround difficulties
This isn’t the first time admins have been forced to contend with broken patches issued by Microsoft.
In January last year, Windows Server admins revealed that they were forced to forgo patches and wait for the next month's update due to issues which caused significant operational disruption.
Similarly, in December 2022 Windows users complained of encountering ‘blue screen of death’ (BSOD) errors after installing security updates.
In a statement at the time, Microsoft said that the issue affected “selected users” who downloaded a fix for a bug found in the Camera app.
IT Pro has approached Microsoft for comment on how it plans to address reported issues.
‘Critical’ Outlook vulnerability
First uncovered by CERT-UA, the Ukrainian government cyber response unit, the Outlook vulnerability patched this week is one of the most severe issues encountered in recent months, according to Mike Walters, VP of vulnerability and threat research at Action1.
Mapping the digital attack surface
Why global organisations are struggling to manage cyber riskFree Download
The vulnerability was actively exploited in the wild between April and December last year, Microsoft revealed, and enables attackers to escalate privileges in Outlook.
Walters noted that the attack can be “executed without any user interaction” by sending a specially crafted email which triggers automatically when retrieved by the email server.
“This can lead to exploitation before the email is even viewed in the Preview Pane. If exploited successfully, an attacker can access a user’s Net-NTLMv2 hash, which can be used to execute a pass-the-hash attack on another service and authenticate as the user,” Walters added.
Subsequently, this would allow the threat actor to infiltrate user networks, change Outlook mailbox folder permissions, and extract emails from targeted accounts.
Windows SmartScreen vulnerability
Microsoft resolved a security feature bypass vulnerability in Windows SmartScreen during this latest round of updates too.
Also actively exploited in the wild, the vulnerability affects all currently supported versions of the Windows operating system, Microsoft warned.
“An attacker can craft a malicious file that would evade Mark of the Web (MOTW) defences, resulting in a limited loss of integrity and availability of security features such as Protected View in Microsoft Office, which rely on MOWT tagging,” the company wrote in its advisory.
With a CVSSv3.1 score of just 5.4, Walters warned that this particular vulnerability may “avoid notice” by many organisations since it does not appear “all that threatening”.
However, Microsoft warned that this exploit was likely used in an attack chain with additional exploits and represents a serious risk for organisations.
Defending against malware attacks starts here
The ultimate guide to building your malware defence strategyFree Download
Datto SMB cyber security for MSPs report
A world of opportunity for MSPsFree Download
The essential guide to preventing ransomware attacks
Vital tips and guidelines to protect your business using ZTNA and SSEFree Download
Medium businesses: Fuelling the UK’s economic engine
A Connected Thinking reportFree Download