Microsoft Outlook December updates trigger ICS security alerts


Microsoft is investigating an issue that triggers Outlook security alerts when trying to open .ICS calendar files after installing December 2023 Patch Tuesday Office security updates.

Microsoft 365 users affected by this issue report seeing dialog boxes warning them that “Microsoft Office has identified a potential security concern” and that “This location may be unsafe” when double-clicking ICS files saved locally.

“This behavior is not expected when opening .ICS files. This is a bug and will be addressed in a future update,” Microsoft explains in this support document.

The company also revealed that the security warning will be displayed after deploying a security update that patches the CVE-2023-35636 Microsoft Outlook information disclosure vulnerability.

If left unpatched, the security flaw can be exploited by attackers to trick users of unpatched Outlook installations into opening maliciously crafted files to steal NTLM hashes (their obfuscated Windows credentials).

The attackers can later use them to authenticate as the compromised user, gain access to sensitive data, or spread laterally on their network.

​Workaround available

Until a resolution is available, Redmond shared a temporary fix for those impacted in the form of a registry key that would disable the security notice.

However, once this workaround is deployed, it’s also important to note that you’ll stop receiving security prompts for all other potentially dangerous file types, not just ICS calendars.

Those affected by this known issue have to add a new DWORD key with a value of ‘1’ to:

  • HKEY_CURRENT_USERsoftwarepoliciesmicrosoftoffice16.0commonsecurity (Group Policy registry path)
  • ComputerHKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonSecurity (OCT registry path)

Impacted customers can also disable the dialog by following the step-by-step instructions available in the ‘Enable or disable hyperlink warning messages in Office programs’ support document.

Microsoft fixed another known Outlook issue earlier this month, causing desktop and mobile email clients to fail to connect when using Outlook.com accounts.

In December, the company addressed two more bugs causing problems for users with lots of folders when sending emails and one more causing Outlook Desktop clients to crash when sending emails from Outlook.com accounts.



Source link