Outlook: Update from December 2023 triggers .ics security warning

[German]Outlook users may be startled by a security warning when they try to open a calendar file (.ics). The cause is probably an update for Office 365 from December 12, 2023.


Advertising

An error description by a user

A user describes the problem in the Microsoft Answers forum in the post How can I avoid Outlook's security warning on a .ics file? The user used iCal.Net to create an .ics file with appointment entries for a calendar. The file is correct and works, according to the user in his message dated February 1, 2024. However, as soon as he tries to open this .ics file in Outlook under Windows to display the appointment in the calendar, he receives the following warning.

Outlook ics security notice

Outlook displays a security warning and writes in a dialog box that Microsoft Office has detected a potential security problem. The path from which the .ics file was loaded was insecure. A Microsoft employee then posted in the thread and pointed out that this behavior was known because a security update from December 12, 2023 had closed a vulnerability.

The security warning the user receive when opening an .ics file is due to a recent security update for the Outlook desktop. This is a protection against the vulnerability in Microsoft Outlook.

December 2023 update is responsible

In the December 2023 blog post Microsoft Office updates (December 12, 2023), I also described the updates for Microsoft Office. There was also an update for Microsoft Outlook with the following description:

Outlook 2016: (KB5002529); This security update resolves an information disclosure vulnerability in Microsoft Outlook. For more information about this vulnerability, see CVE-2023-35636.

I wrote the article Calendar invitation in Outlook can reveal password (via CVE-2023-35636). However, this security update was not only released for Outlook 2016 (MSI installer), but also for all click-to-run variants of Outlook 2016-2021 and Outlook 365.


Advertising

The Microsoft employee informed the user that this warning can also be deactivated by Outlook when opening .ics calendar files. The details can be found in the blog post Outlook prompts security notice opening .ICS files after installing protections for Microsoft Outlook Information Disclosure Vulnerability released: Dec 12, 2023 – Microsoft Support. The colleagues from Bleeping Computer took up the topic here.


Advertising

This entry was posted in issue, Office and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).