Bad actors have exploited a critical privilege-escalation bug in Microsoft Outlook that appeared in March. Microsoft’s May security update includes a patch for the bug called CVE-2023-23397. The vulnerability allowed attackers to steal user passwords when Microsoft Outlook clients connected to hacker-controlled servers. Microsoft patched the bug by preventing Outlook clients from making these connections.

A researcher from Akamai noticed another issue where simply adding an additional character bypassed the patch. Including a forward slash icon in the Universal Naming Convention path enabled hackers to create malicious URLs that passed the MapUrlToZone security measure. Microsoft addressed this new bug, called CVE-2023-2932, in its patch release this week. In the release notes, Microsoft noted that the new bug allowed bad actors to craft URLs capable of evading security measures implemented after CVE-2023-23397. The company is urging its users to implement both patches to be protected from these vulnerabilities.

Read More:

https://www.darkreading.com/remote-workforce/microsoft-patches-bug-that-enables-simple-bypass-of-previous-fix-for-actively-exploited-outlook-vulnerability