July 16, 2024 at 08:25AM
Microsoft has resolved an Outlook security bug causing incorrect alerts after December updates. These alerts resulted from an information disclosure vulnerability, potentially allowing attackers to steal NTLM hashes. Despite initial fixes, the issue resurfaced in April and was finally resolved in the July 9th public update, prompting users to reverse any workarounds applied. Additionally, Microsoft announced plans to deprecate basic authentication for Outlook personal email accounts by September 16.
Based on the meeting notes provided, here are the key takeaways:
– Microsoft has fixed a known Outlook issue that was triggering incorrect security alerts after installing the December security updates for Outlook Desktop. This issue was acknowledged in February and was related to unexpected warnings when double-clicking ICS calendar files.
– The alerts were caused by the Outlook security updates patching an information disclosure vulnerability (CVE-2023-35636) that could allow attackers to steal NTLM hashes using maliciously crafted files.
– The stolen NTLM hashes could lead to pass-the-hash attacks, gaining access to sensitive data, or moving laterally within the network.
– The issue was initially fixed in April but was rolled back after issues were found during testing in the Insider channels. However, it was finally fixed in the July 9th public update for Outlook Desktop.
– Customers who applied a workaround recommended by Microsoft are advised to reverse it before installing the patched Outlook builds to ensure the bug has been addressed.
– Microsoft also announced the deprecation of basic authentication for Outlook personal email accounts by September 16 and shared a temporary fix for a bug preventing Microsoft 365 users from replying to encrypted emails using the Outlook Desktop client.
These takeaways summarize the key points from the meeting notes and provide a clear understanding of the discussed topics.