Response to Critical Outlook Vulnerability (CVE-2023-23397)
You may have heard about a recently disclosed critical vulnerability in Outlook. This vulnerability is particularly bad because it allows an attacker to gain sensitive authentication information just by sending you an email. You don't even have to open it!
Despite Microsoft only being aware of limited, targeted exploitation of this vulnerability we need to act fast to mitigate customer risk. Our response and mitigation steps apply only to devices managed under a Support Agreement, Cloud Servers, Dedicated Servers and shared/hosted services. If your IT is managed by another party, please ensure they are taking appropriate action.
Please read the section relevant to you below to understand what's happening next:
I'm a user
If your Outlook is vulnerable, we will be carrying out a forced upgrade of your Office applications from today at 1530. If your device is not online this will happen after it is switched on, or sometime later if we need to intervene manually.
Please ensure any documents you are working on are set to auto-save as your Office applications may close without warning to complete the update. We apologise for any inconvenience this will cause but it is necessary due to the severity of the vulnerability
I'm technical or management and want to know more...
The information for "I'm a user" applies to you too, but here is some more detail about how we're approaching the problem:
MSI Versions of Outlook and Office
Affects all 2013 versions and all 2016 versions not deployed with Click-to-Run technology. We will be:
- Using existing patching technology in our management software to detect patches needed and monitor that they are applied
- Using custom reports to find devices with versions known to be vulnerable and working through these manually
Click-to-Run (C2R) Versions of Outlook and Office
Affects only 2016 versions which use C2R, and all future versions (including anything ever provided as part of Office 365 / Microsoft 365) which have only ever been available with C2R (i.e not MSI). We will be:
- Using a bespoke monitoring policy to detect vulnerable versions
- Vulnerable desktops will be automatically and forcibly updated to the latest version (in the relevant channel)
Vulnerable servers will be manually updated by engineers. The timing of which will depend on individual customer circumstances