[German]The security update KB5002427 for Outlook 2016 from July 11, 2023 (as well as the Click-2-Run updates of Office from the same date) cause an unpleasant bug. If the user wants to open links in Outlook 2016, the program displays a security notice. The links simply no longer work. The solution I know so far is to uninstall update KB5002427 (or the latest Office 365 build).
Advertising
Outlook 2016 Update KB5002427
Update KB5002427 update was released on July 11, 2023 for Outlook 2016 and is intended to address the following two vulnerabilities.
- CVE-2023-33151: Microsoft Outlook Spoofing vulnerability; CVS3.1 Index 5.7; If the user clicks on a prepared link with a URL, an attacker could spoof information (e.g. NetNTLMv2 hashes) from the system. Even an attack via the preview window in Outlook seems possible if the user plays along.
- CVE-2023-35311: Microsoft Outlook Security Feature Bypass vulnerability; CVS3.1 Index 8.2; If the user clicks on a link to a specially crafted URL, an attacker could bypass Microsoft Outlook's security warning. Even an attack via the preview window in Outlook seems possible if the user accepts a warning.
Update KB5002427 rolled out for MSI installations of Microsoft Office 2016 via Windows Update is mentioned in the blog post Microsoft Office Updates (July 11, 2023). However, Microsoft has also rolled out a a new build for Click-2-Run installations to fix the vulnerabilities. These updates are listed in the linked CVE pages.
I've listed update KB5002427 for Outlook 2016 here because I got the first notices about it. The issue also affects Click-2-Run installations if they were upgraded to the latest build via Office. It's just that I didn't consistently document these updates here on the blog.
Links and Shares are broken
However, the security update breaks links (and shares) in Microsoft Outlook, they can't to no longer opened. Shortly I published the German blog post Microsoft Office Updates (11. Juli 2023) I received a comment from German blog reader Björn, that reads translated as follow:
KB5002427 causes a security warning to appear when trying to open links in Outlook. Trusted locations added via GPO in Office don't fix it, and there's no such option under Outlook itself.
German blog reader RobertB had posted a similar comment in the discussion area of the blog – which I'll pull out the translated version below:
Outlook Pop-Up Window
Since the Office update, when clicking on a link in an e-mail (in our case an internal file on the file server), a pop-up window appears. Headline: "Security Advisory for Microsoft Outlook" and in the text: "Microsoft Office has detected a potential security risk. This location may not be secure."
Haven't found anything about this yet.
On Mastodon, Nightfighter, who is also suffering from the update, chimed in with the following comment (translated):
Advertising
Is anyone else having problems opening links in Outlook since the recent Outlook updates? Outlook suddenly reports that a policy prevents opening.
And blog reader Stefan adds in this comment that the problem is even more extensive and wrote:
If it were only security hints. Links pointing to files on network drives(dfs) cause an error message (unexpected error file:///\\ …) and nothing happens. Local files lead to a security message just like "external" links… – after uninstalling KB5002427 everything works.
I read a similar entry in the following reddit.com thread. Björn had linked in his comment to the discussion thread Outlook Hyperlinks – Not Working on reddit.com, where a user reports the same.
This morning we have started to see issues to accessing links within emails. Our current setup is as follows –
Our sharepoint drives are mapped as a folder structure using WebDav. Script designed to run each day check the drives exist and are still mapped or map the drives if they dont exist to the locations of both Work Drive & Personal OneDrive. (Yes OneDrive i know – they dont like change).
When users send out email reports they tend to add a link to that location of the file thats mapped (Webdav) within the email so it can be opened and viewed.
As of this morning links no longer work and we are presented with the following error –
The observation is confirmed by other users. Another reddit.com thread UNC Paths in Outlook Now Showing Security Notice meanwhile confirms this bug for Outlook2016 (version 2306 build 16.0.16529.20164) 64-bit (Click-2-Run variant) as well.
Uninstalling the update helps
The only solution I have found so far is to uninstall the security update KB5002427. For the Click-2-Run variants, the only thing left to do is to roll back to the previous Office build so that links in Outlook work again.
There is a registry key under:
HKCUSER\SOFTWARE\Policies\Microsoft\office\16.0\common\security
where you can set the 32 bit DWORD value disablehyperlinkwarning to 1; maybe it suppress the security warning (I haven't tested that).
Advertising
Thanks for the article. We are running Microsoft 365 version 2302 (Build 16130.20644 Click-to-Run, Semi-Annual Enterprise Channel) and we are facing the same issue as well. While users running 2208 (one version behind) are doing fine. The registry key hack didn't help. We have no other choice but to roll back to the previous version.
within the German Article somebody wrote in a comment, that the Policy entry don't work, but the direct key entry
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Security
helped in this case
Thanks for the reply and direction. I tried on my devices but it seems the case is still there. Looks like I have to add it to the Trusted Site or the Local Intranet to try again.
Workaround is that you can modify your "Safe Links" policy in the Defender portal to prevent or minimize the popup.
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-links-policies-configure
However, it requires a premium subscription…
Hello,
We have run into the same problem with several of our Outlook clients, from Outlook 365, 2019, 2016, 2013, etc.
One of our colleagues found a solution on purpose: Outlook doesn't seem to recognize the network share path as part of the local network and blocks the hyperlink as not trusted. For us the solution was to add the share name manually so to say as a "trusted website" under Control Panel\Internet Options\Security\Local Intranet\Sites\Advanced
Afterwards the hyperlinks should work again, they did in our case.
You can add the website also with GPo under "User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page" and give it the value 1
Hope this helps. Greets from the Alps.
Thanks for your hint – will add a link to this comment to my German edition of the blog post.
If you have the latest version installed, I have 2306 in my company, switch to the new version in outlook (top corner in outlook) and everything will open.
Recently from Neowin – KB5002427, KB5002432: Microsoft resolves issue that broke Outlook Hyperlink URL opening:
https://www.neowin.net/news/kb5002427-kb5002432-microsoft-resolves-issue-that-broke-outlook-hyperlink-url-opening/
In the Endpoint Manager you can solve this problem globally by adding the network path file:///\\yourdomain.local or file:\\*yourdomain.local to the configuration setting "Site to Zone Assignment List" in the administrative templates
with the value 1
Hope this helps
Didn't posted it – Microsoft has shared a worksaround – see my latest blog post Outlook blocks hyperlinks after July 2023 update; a workaround from Microsoft