Microsoft has issued a stern warning to Outlook users worldwide, advising the 500 million people who rely on the popular email software to download a new update. Without taking action, Outlook users are putting their PCs at risk of cybercriminals breaking into their systems with a single click.
Security researchers at Morphisec discovered the disturbing leak, which nearly all versions of the Outlook application. After disclosing the vulnerability to Microsoft, the company released a patch and marked the flaw as “Important” based on its severity rating — something the team at Morphisec believes understates the threat.
“Given the broader implications of this vulnerability, particularly the zero-click vector for trusted senders and the potential impact on much broader distribution, we have asked Microsoft to reassess the severity and label it as ‘Critical’. This reassessment is critical to reflect the true risk and ensure that adequate attention and resources are allocated to mitigation,” writes Michael Gorelik in the official Morphisec blog.
Hackers can use the Outlook flaw to “gain unauthorized access, execute arbitrary code, and cause significant damage without any user interaction,” researchers warn. The fact that hackers don’t need to seek authentication after They have gained access to your system, which makes this vulnerability particularly dangerous, “as it opens the door to widespread exploitation,” they add.
Once hackers infiltrate your PC, they can install malware or ransomware from everywhere on the planet, delete files or check your screen activity. All because you opened the wrong email in Outlook.
As we might expect, researchers have not revealed at a lot of information about the deficiency.
This is intentional, as millions of people are likely still vulnerable to attack. While Microsoft has confirmed that there is currently no evidence of hackers using the flaw in real attacks, it is not a smart move to inform would-be cybercriminals exactly where the vulnerability is. How the glitch works.
However, Morphisec security experts repeatedly refer to “trusted senders” in their warning to Microsoft. Email addresses in your Safe Senders list, which are never sent to the Junk folder regardless of the content of the message, are particularly dangerous because hackers don’t need you to click on anything to launch their attack using this new flaw.
If the email comes from an untrusted address, cybercriminals must trick you into executing the malware with a single click.
Microsoft has named the vulnerability in Outlook CVE-2024-38021 and the fix is included in the latest so-called Patch Tuesday update — a regular bundle of security and bug fixes released on the second Tuesday of every month to Windows 10 and Windows 11 users worldwide.
Most laptops and desktop PCs automatically update their operating system.
However, it is possible to speed up the process by going to Settings > Windows Updateand by clicking on Check for updates to start the process manually.
The flaw discovered in Outlook shows the importance of regular patches and security fixes. This will soon have an impact millions of PC owners still rely on Windows 10who will no longer receive messages all Microsoft security solutions next year — unless you are willing to pay.
If you can’t upgrade to Windows 11 due to the strict new system requirements, you don’t want to bother with any of the shiny list of new Copilot+ PCs released by Microsoft, Samsung, Lenovo and othersand cannot afford to pay for additional security updates from Microsoft or a third partyYour data is at risk whenever a new security hole is discovered in Windows 10 or a popular application like Outlook.
According to researchers at Morphisec, who discovered the bug in Outlook, the issue affects nearly all versions of the email client, something Microsoft has not denied in its public statements about the flaw.
ED HARDIE | UNPLATED
Microsoft’s Patch Tuesday release not only includes the fix for the latest Outlook flaw, but also comes packed with updates for 142 flaws, including two actively exploited and two publicly disclosed zero-days. The latter refers to a flaw that is already known to hackers, meaning it’s a race against time to get as many people as possible to update their PCs to protect themselves from the ongoing attacks.
LATEST DEVELOPMENTS
In conversation with Forbes Regarding the Outlook vulnerability, a Microsoft spokesperson said, “We are very grateful to Morphisec for their investigation and for responsibly reporting it through a coordinated vulnerability disclosure. Customers who have installed the update are already protected.”