Microsoft has fixed an issue that triggers erroneous Outlook security alerts when opening .ICS calendar files after installing the December 2023 Outlook Desktop security updates.
The December Patch Tuesday security updates behind these inaccurate warnings patch the CVE-2023-35636 Microsoft Outlook information disclosure vulnerability, which attackers can exploit to steal NTLM hashes via maliciously crafted files.
These credentials are used to authenticate as the compromised Windows user in pass-the-hash attacks, to gain access to sensitive data or spread laterally on their network.
Microsoft 365 users impacted by this issue see dialog boxes warning them that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" when double-clicking ICS files saved locally.
"This behavior is not expected when opening .ICS files. This is a bug and will be addressed in a future update," the Outlook Team said in February when Microsoft first acknowledged this known issue.
Microsoft has now found a fix for this issue and is shipping it with Outlook for Microsoft 365 Version 2404 Build 17531.20000 in the Beta Channel. Those affected can test the fix if they're in the Office Insider Channels.
Current Channel users can expect to receive a fix for the issue on April 30th. Once the fix has been tested in production, it will be backported to Version 2402 for the Semi-Annual Enterprise Channel (Preview) during the June 2024 Patch Tuesday.
Until the fix is released to all affected users, those who are experiencing the issue can use a registry key to temporarily disable the erroneous security notifications.
However, it's important to note that once this workaround is deployed, you'll also stop receiving security prompts for all other potentially dangerous file types.
To apply the workaround, you have to add a new DWORD key with a value of '1' to:
- HKEY_CURRENT_USERsoftwarepoliciesmicrosoftoffice16.0commonsecurity (Group Policy registry path)
- ComputerHKEY_CURRENT_USERSoftwareMicrosoftOffice16.0CommonSecurity (OCT registry path)
Affected Outlook users can also disable the warning dialogs by following the instructions in the 'Enable or disable hyperlink warning messages in Office programs' support document.
Redmond fixed another known Outlook issue last month, causing some Outlook desktop clients to stop syncing to email servers via Exchange ActiveSync.
The company also addressed a bug behind Outlook.com connection issues on desktop and mobile email clients in February.
