Another critical Microsoft alert after the patch tuesday - Patch your Outlook NOW!
Take action: You need to update your Microsoft Outlook. Now. This is not a debate.
Learn More
Microsoft is issuing a specific warning about a critical vulnerability in Microsoft Outlook, tracked as CVE-2024-21413 (CVSS score 9.8). The flaw allows for remote code execution (RCE) without requiring authentication from the attacker.
The flaw enables the bypassing of the Office Protected View, a feature intended to prevent harmful content from being executed by opening Office files in a read-only mode. Specifically, the vulnerability can be exploited through the Outlook Preview Pane by previewing maliciously crafted Office documents, making it possible for unauthenticated attackers to just send a malicious email and for it to be previewed.
This vulnerability affects a range of Office products, including
- Microsoft Office LTSC 2021,
- Microsoft 365 Apps for Enterprise,
- Microsoft Outlook 2016,
- Microsoft Office 2019.
The exploitation method involves crafting hyperlinks that utilize the "file://" protocol with an added exclamation mark and arbitrary text, which bypasses Outlook's security measures and allows for remote resource access without triggering warnings.
