Microsoft has issued a stark warning to Outlook users worldwide, advising the 500 million people who rely on this popular email software to download a new update. Without taking action, Outlook users risk enabling cybercriminals to break into their PC with a single click.
Security researchers at Morphisec discovered the worrying flaw, which impacts almost all versions of the Outlook application. After disclosing the vulnerability to Microsoft, the company issued a patch and labelled the flaw as "Important" on its severity rating — something the team at Morphisec believes is underselling the threat.
"Given the broader implications of this vulnerability, particularly its zero-click vector for trusted senders and its potential for much wider spread impact, we have requested Microsoft to reassess the severity and label it as 'Critical.' This reassessment is crucial to reflect the true risk and ensure adequate attention and resources are allocated for mitigation," Michael Gorelik writes in the official Morphisec blog.
Hackers can use the flaw within Outlook to "gain unauthorised access, execute arbitrary code, and cause substantial damage without any user interaction," researchers warn. The fact hackers don't need to seek authentication after they've gained access to your system makes this vulnerability particularly dangerous "as it opens the door to widespread exploitation," they add.
Once they've infiltrated your PC, hackers can install malware or ransomware from anywhere on the planet, delete files, or monitor your activity on-screen. And all because you opened the wrong email in Outlook.
As we'd expect, researchers haven't revealed too much information about the flaw.
This is by design since millions are likely still vulnerable to attack and, although Microsoft has confirmed there's no evidence of hackers using the flaw in real-world attacks right now, it's not a smart move to educate wannabe cybercriminals about exactly how the glitch works.
However, the security experts at Morphisec make repeated reference to “trusted senders” in their warning to Microsoft. Email addresses in your Safe Senders List, which are never sent to the Junk folder — regardless of the content of the message, are particularly dangerous as hackers don't need you to click anything to begin their attack using this new flaw.
If the email comes from an address that isn't a trusted source, cybercriminals will need to tempt you into making a single click to executive the malware.
The Outlook vulnerability has been named CVE-2024-38021 by Microsoft, and the fix has been included in the latest so-called Patch Tuesday update — a regular bundle of security and bug fixes issued on the second Tuesday of each month for Windows 10 and Windows 11 users worldwide.
Most laptops and desktop PCs will update their operating system automatically.
However, it's possible to speed up the process, by heading to Settings > Windows Update, and clicking on Check For Updates to manually kickstart the process.
The flaw discovered in Outlook shows the importance of regular patches and security fixes. This will soon impact millions of PC owners who still rely on Windows 10, which will stop receiving all security fixes from Microsoft next year — unless you're willing to pay.
If you're unable to upgrade to Windows 11 due to the strict new system requirements, don't fancy buying one of the shiny slate of new Copilot+ PCs released by Microsoft, Samsung, Lenovo, and others, and can't afford to pay for additional security updates from Microsoft or a third-party company, your data will be at-risk as soon as the next vulnerability is discovered within Windows 10 or a popular application, like Outlook.
According to the researchers at Morphisec, who uncovered the bug in Outlook, the issue impacts almost all versions of the email client — something Microsoft hasn't denied in its public statements about the flaw
Microsoft's Patch Tuesday release doesn't just have the fix for the latest Outlook flaw, but it's also packed with updates for 142 flaws, including two actively exploited and two publicly disclosed zero-days. The latter refers to a flaw that's already known to hackers, meaning it's a race against time to ensure as many people as possible update their PC to shield themselves against the ongoing attacks.
LATEST DEVELOPMENTS
Speaking to Forbes about the Outlook vulnerability, a spokesperson for Microsoft said: "We greatly appreciate Morphisec for their research and for responsibly reporting it under a coordinated vulnerability disclosure. Customers who have installed the update are already protected."
