- Vulnerability in Microsoft Outlook allowed threat actors to distribute malware via email
- The bug abuses the Windows Object Linking and Embedding feature
- A fix is already available and users are advised to apply it as soon as possible.
Microsoft has released a patch for a critical vulnerability that allowed malicious actors to distribute malware through its Outlook email client. Considering the severity of the flaw, users are advised to install the patch immediately.
In a security advisory, Microsoft detailed CVE-2025-21298, a use-after-free vulnerability with a severity score of 9.8/10 (critical). Use-after-free is a vulnerability where malicious actors can use previously freed memory, allowing them to corrupt valid data or, in this scenario, distribute malware remotely.
Located in the Windows Object Linking and Embedding (OLE) feature, the bug means that simply viewing a malicious email in the preview pane is enough for the endpoint to become infected with malware. Windows OLE is a technology for embedding and creating links to documents and other objects. For example, users can embed an Excel chart into a Word document, and updates to the Excel file will be reflected in the Word document, if linked.
Specially designed emails
“In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim,” Microsoft explained in the advisory.
“Exploitation of the vulnerability may involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. designed. This could cause the attacker to execute code remotely on the victim’s machine.
For those who cannot apply the patch immediately, Microsoft suggests a number of mitigation measures, including displaying emails as plain text and, in large LAN networks, restricting NTLM traffic or restricting it. complete deactivation. Displaying emails as plain text means that other multimedia elements, such as images, animations or different fonts, will not be displayed.
It’s worth it, however, because malware sent this way can cause serious business disruptions, loss of customers, and possibly even regulatory fines.
Via NotebookCheck
