On March 14th, Microsoft disclosed a critical security vulnerability that affects Outlook email clients running on Windows. Microsoft has released an update to address this vulnerability as part of this month’s regular updates. ETS has made this update mandatory starting today, so Windows machines that normally receive updates from ETS will receive it right away.
If you are responsible for or have knowledge of any non-managed machines (including personal computers running Outlook), you should ensure this patch is applied to them as soon as possible. Running Windows Update on these machines will apply the full suite of patches that includes mitigation for this vulnerability. The patches may also be downloaded individually at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 (under “Security Updates”).
Microsoft has released a brief technical description of the vulnerability, and Tenable’s narrative of this week’s patch release includes a more detailed description (under “CVE-2023-23397 | Microsoft Outlook Elevation of Privilege Vulnerability”).
Please contact the Information Security Office with any questions.