Hi Sheldon,

I’ve checked the text and can’t find anything that says that the Outlook subscription client is not vulnerable. Could you point me to the words that you are worried about? Given the dynamic nature of this incident, I applied several updates to the text as new information emerged. There was some confusion initially about if Office 365 was exposed and I added a chunk of text to explain why I think the issue is less likely to appear there, but there’s no doubt that someone could be exposed if they used an old client and their credentials were transmitted to an attacker. Even if their account was protected by MFA, the attacker might be able to use the credentials to access a service that doesn’t use MFA.

Here is how I understand that it works:

-If you are using Any windows outlook client you are vulnerable including the 365 apps

-Once the outlook client is exploited, your NTLM Hashes get dumped to the remote attacker

-Once the hashes are cracked (or are they plaintext credentials? I dont remember and it doesnt matter in this explanation) then the attacker can use your credentials for anything that you use your credentials for which includes things like RPC if its enabled.

So it doesnt matter if the 365 client doesnt use NTLM or not, they get dumped regardless and can be used in any way the attacker wants. Please forgive me if this is incorrect, but thats how I currently understand how it works

No, there is a patch listed for Microsoft 365 apps on the CVE page. I must say that I didn’t use it because the version of the Microsoft 365 apps I use is version 2303 and the fix is in that.

I also looked in the section where we have the KB’s, but there´s no link to download the patch, it just forwards to the link: https://learn.microsoft.com/en-us/officeupdates/microsoft365-apps-security-updates

Correct, the patch was wrong and I was trying to install the 64-bit one. I installed the 32-bit and it worked, thanks. I questioned this to the customer and he said he uses it for RPA automation, but I totally agree with you Tony. We shouldn’t have Office installed on servers. Now, I have a problem that 3 servers on the list are using Microsoft Apps 365 and, from what I’ve seen, we don’t have a patch for that version, is it correct?

Hi Tony,
So they really cannot access my local Windows domain (hosted on a local onprem server) even if they have the username and password, is that correct? Is there anything else that they can do from this exploit?

Why is Office installed on a server? Generally speaking, this is a bad idea.

In any case, AFAIK, all Outlook versions are vulnerable unless patched. Perhaps you’re using an incorrect patch OR the patch doesn’t run on a Windows server.

Even if I have Outlook 2016 installed, can I say that this server is safe from the CVE-2023-23397 threat?

Best Regards and thanks for the excellent article!

The updates are available in the Security Updates section of the page. There are links to the individual Knowledge Base articles for each version of Outlook.

https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2023-23397

This article just goes in circles.