CVE-2023-35311

FAQ

Is the Preview Pane an attack vector for this vulnerability?

Yes. The Preview Pane is an attack vector, but additional user interaction is required.

According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do?

The user would have to click on a specially crafted URL to be compromised by the attacker.

What kind of security feature could be bypassed by successfully exploiting this vulnerability?

The attacker would be able to bypass the Microsoft Outlook Security Notice prompt.

After I installed the July 2023 security updates for Outlook, I can no longer access UNC, SMB, or file:// type URLs from my Outlook. How do I prevent this from happening?

The July 2023 Outlook security updates limit access to UNC, SMB, and file:// type URLs to only those the system identifies as Local, Intranet, or Trusted Sites. Additionally, when you click a link for one of these UNC, SMB, or file:// type URLs, a confirmation dialog will be displayed. To ensure continued access, add the URL, UNC, or FQDN path to the Trusted Site Zone as described in Intranet site is identified as Internet site - Windows Client | Microsoft Learn.

For more information see Outlook blocks opening FQDN and IP address hyperlinks after installing protections for Microsoft Outlook Security Feature Bypass Vulnerability released July 11, 2023.