This month’s “Patch Tuesday” update from Microsoft addressed a significant security flaw in Outlook. Most systems should have received the update automatically, but users who have disabled Windows Update should re-enable it and apply the patch immediately. This vulnerability allows an attack to occur simply by opening an email.
The security company Morphisec discovered the threat and explained that this flaw is especially dangerous as it allows attackers to control the victim’s computer remotely, potentially spreading malware, installing ransomware, or stealing sensitive information.
Morphisec collaborated with Microsoft to address the issue and did not disclose the vulnerability until Microsoft released a fix. Detailed technical information about the bug will be shared at a security conference later this year.
The vulnerability is activated when a user opens a compromised email in most Microsoft Outlook clients, without needing to open an attachment or click a link. This is particularly risky as some Outlook clients automatically open the first email in the inbox upon startup, increasing the chance of an attack if the first email is malicious.
Microsoft identified the bug as CVE-2024-30103 and did include a fix in the June 2024 Security Update, which began rolling out on June 11. The company classified the bug as “important” rather than “critical” since there is no evidence yet of active exploitation by hackers. However, now that the flaw is public, the risk of exploitation could increase.
Microsoft advises users to keep security updates set to download and install automatically. Those who have chosen manual updates should immediately install the fix if they use Outlook.