Microsoft has finally fixed a known Outlook issue, confirmed in February, which was triggering incorrect security alerts after installing the December security updates for Outlook Desktop.
The company acknowledged the bug in early February after many Microsoft 365 users reported seeing unexpected warnings that “This location may be unsafe” and “Microsoft Office has identified a potential security concern” when double-clicking ICS calendar files.
The alerts were tagged as erroneous and are caused by the Outlook security updates. These updates patch an information disclosure vulnerability (CVE-2023-35636) that lets attackers steal NTLM hashes using maliciously crafted files.
The stolen NTLM hashes can then be used to carry out pass-the-hash attacks on Windows systems, gain access to sensitive data, or move laterally within the network.
Redmond fixed the issue in early April but rolled it back after shipping it to Office Insiders in the Beta Channel. “The Outlook Team found issues with the fix while it was being tested in the Insider channels,” Microsoft said.
However, in a new update to the same support document on Monday, the company said the known issue was finally fixed in the July 9th public update for Outlook Desktop.
Customers who applied a workaround recommended by Microsoft—requiring them to add registry keys that would disable the security notice—are advised to reverse it before installing the patched Outlook builds to ensure the bug has been addressed.
“If you set the registry keys below to temporarily disable the security notice, you can test removing them and confirm the latest fix addresses the issue,” Redmond explained.
“If you decide to use the registry key, please be aware it will stop security notice prompts for all types of files and not just for the .ICS files.”
Last month, Microsoft also announced that it would deprecate basic authentication for Outlook personal email accounts by September 16.
One month earlier, it shared a temporary fix for a bug preventing Microsoft 365 users from replying to encrypted emails using the Outlook Desktop client.
Source: www.bleepingcomputer.com