• Skip to Content
  • Skip to Main Navigation
  • Skip to Search

Indiana University Indiana University IU

Open Search
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
      • Laptop & mobile device security
      • Malware, scareware, & ransomware
      • Wearable technologies
      • Use of survey software
    • File sharing & copyright
      • Contesting copyright infringement notices
      • Disabling peer-to-peer file sharing
      • Copyright tutorial
      • Copyright infringement incident resolution
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
      • Risk assessment and treatment
      • Policy administration
      • Organization
      • Asset management
      • Human resources
      • Physical & environmental security
      • Communications & operations management
      • Identity & access control
      • Information systems acquisition, development, and maintenance
      • Incident management
      • Business continuity management
      • Compliance
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
      • Guidelines
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
      • Privacy Notice Generator
      • Incident Response Webservice
      • SSL/TLS certificates
  • About
    • Glossary of Terms
    • Trustees Resolution
  • Contact
  • Report an Incident
    • Report Privacy Incident or Request Assistance
    • Emergency IT Incidents
    • Managing Incidents
    • Identity Theft
    • Reporting Suspected Sensitive Data Exposures
    • Reporting Suspected HIPAA Data Exposures

Information Security & Policy

  • Home
  • Personal Preparedness
    • Email & phishing scams
    • Identity verification
    • IU passphrases
    • Hardware & software security
    • File sharing & copyright
    • Vulnerability Disclosure Guidance
    • Keeping data safe
    • Web privacy
    • Account privileges
    • Remote Desktop
  • Information & IT Policies
    • Policy Hierarchy
    • Privacy policies & FAQ
    • Acceptable Use Agreement
    • Information & IT Policy Process
    • Cyber Risk Review
    • IT-12 Security Standards
  • Information Security & Privacy Program
    • Scope
    • Goals & Objectives
    • Governance
    • Principles
    • Safeguards
    • Charter
  • Privacy Portal
    • Privacy matters
    • Sensitive data
    • Sharing institutional data with third parties
  • Resources for IT Staff
    • Information Risk Assessments
    • SecureMyResearch
    • Cloud computing
    • Audits & requirements
    • Data encryption
    • Back up data
    • Information security best practices
    • CIS Secure Suite
    • Disaster recovery planning
    • Managing employee data
    • Medical device security
    • Transferring data securely
    • Using SSH
    • Additional resources
  • Search
  • About
  • Contact
  • Report an Incident
  • Home
  • Security Bulletins
  • Outlook for Windows Vulnerability

Outlook for Windows Vulnerability

Tuesday, March 21, 2023

Background

On March 14, 2023, Microsoft disclosed a vulnerability in Outlook for Windows that allows credential theft. Microsoft has released a patch for Outlook to address this vulnerability.There are no user-level workarounds to mitigate this vulnerability so users should update Outlook as soon as possible.

Impact

Malicious actors can send specially crafted emails that expose user credentials to the attacker. These credentials can then be used by the attacker to authenticate as the victim. This vulnerability requires no user interaction and will execute upon receipt in the Outlook client BEFORE being opened or seen in the preview pane.

Platforms Affected

All supported versions of Microsoft Outlook for Windows are affected. Other versions of Microsoft Outlook such as Android, iOS, Mac, as well as Outlook on the web and other M365 services are not affected.

Local Observations

The UISO has not observed local attacks exploiting this vulnerability. 

UISO recommendations

The UISO recommends applying the patch provided by Microsoft as soon as possible, regardless of where your mail is hosted. It can be applied via Windows Update or finding your appropriate version of Windows on the update guide.

Further Reading

  1. https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23397 
  2. https://msrc.microsoft.com/blog/2023/03/microsoft-mitigates-outlook-elevation-of-privilege-vulnerability/ 
  3. https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2023-exchange-server-security-updates/ba-p/3764224

Information Security & Policy resources

  • Leading in Cybersecurity
  • IU Data Management

Indiana University

Accessibility | College Scorecard | Privacy Notice | Copyright © 2024 The Trustees of Indiana University