Microsoft has issued guidance on two critical vulnerabilities that may affect its customers.
All versions of Outlook have been impacted by CVE-2023-23397 – a critical extension of privilege in Microsoft Outlook in Windows. Exploits of have already occurred whereby the vulnerability is triggered on receipt of a malicious email and executed before the email is read in the preview pane. Crucially, no user interaction is required for infection to occur.
Updating Outlook will mitigate the risk. Users should select the ‘File’ menu, followed by ‘Office Account’ and perform the update via ‘Office Updates’.
For more information on this vulnerability, see Microsoft Outlook Elevation of Privilege Vulnerability – CVE-2023-23397.
In a separate issue, Microsoft is testing an updated version of the Windows 11 Snipping Tool that fixes the “Acropalypse” vulnerability that allowed the partial restoration of deleted content from cropped images. This flaw is considered a privacy risk, as users often use the tool to remove sensitive information from images. The bug was first identified in Google Pixel’s Markup Tool and fixed in the Google Pixel March security updates. It was later discovered that it also affected the Windows 11 Snipping Tool. A new version will be made available in the coming weeks once testing is complete.
DigitalWell customers concerned at how vulnerabilities may affect any of our products should contact firstname.lastname@example.org for further advice.