Supported versions of Outlook for Windows in Office and Microsoft 365 will continue to connect to Microsoft 365 services as expected. To see a list of the currently supported versions, visit Update history for Microsoft 365 Apps (listed by date) (for Microsoft 365 Apps) or Latest updates for versions of Office that use Windows Installer (MSI) (see “Latest Public Update” for Office 20).
Versions that are newer than minimum version requirements listed above, but are not the currently supported version, may experience connectivity issues. Action: Ensure Outlook for Windows client are updated accordingly.
Timing: Beginning Novemand will be complete by mid-May 2022. Microsoft 365 Apps for business (formerly Office 365 Business) Microsoft 365 Apps for enterprise (formerly Office 365 ProPlus) The attacker could then relay the stolen NTLM hash to another service and authenticate with that user's level of privilege.Starting November 1, 2021, the following versions of Outlook for Windows, as part of Office and Microsoft 365 Apps, will not be able to connect with Office 365 and Microsoft 365 services. Microsoft reports knowledge of targeted exploitation of this privilege escalation vulnerability that allows for new technology LAN manager (NTLM) credential theft. No user interaction is required, and exploitation could occur before a message is viewed in the preview pane.ĬVE-2023-23397 can be exploited when reminders trigger on a malicious message with the PidLidReminderFileParameter extended Messaging Application Programming Interface (MAPI) property configured to a universal naming convention (UNC) path of an attacker-controlled server message block (SMB) share.Īn unauthenticated, remote attacker could send specially crafted messages that would cause a connection to an external attacker-controlled SMB server, leaking the NTLM hash of the user. 
Microsoft has released security updates for a critical zero-day vulnerability in Outlook, Office, and Microsoft 365 Apps for Enterprise known as CVE-2023-23397.
0 kommentar(er)
