Microsoft pulls fix for Outlook bug behind ICS security alerts

Microsoft has rolled back a fix for a known Outlook issue that was causing incorrect security alerts when opening ICS calendar files after installing the December Outlook Desktop security updates.

Affected Microsoft 365 users are seeing unexpected warnings that "Microsoft Office has identified a potential security concern" and that "This location may be unsafe" when double-clicking ICS files saved on their devices.

The December security updates triggering these alerts patch an Outlook information disclosure vulnerability (CVE-2023-35636) that can let attackers steal NTLM hashes via maliciously crafted files and use them in Windows pass-the-hash attacks to access sensitive data or move laterally on the network.

Microsoft fixed the issue in early April and started shipping it with Outlook for Microsoft 365 Version 2404 Build 17531.20000 to Office Insiders in the Beta Channel.

"The Outlook Team found issues with the fix while it was being tested in the Insider channels," the company said in a support document updated on Tuesday.

"Currently the fix has been disabled and will be re-enabled after some modifications. We will update this topic as soon as the fix is available again for testing."

​For users experiencing the issue, a temporary workaround is available until the fix is released, which requires using a registry key to disable the false security notifications.

However, it's important to note that this temporary fix will also stop security prompts for all other potentially dangerous file types.

To apply the workaround, you have to add a new DWORD key with a value of '1' to:

• HKEY_CURRENT_USER\software\policies\microsoft\office\16.0\common\security (Group Policy registry path)
• Computer\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Security (OCT registry path)

Affected Outlook users can also eliminate the warnings by following instructions in the 'Enable or disable hyperlink warning messages in Office programs' support document.

Last month, Microsoft resolved another known issue, causing some Outlook desktop clients to stop synchronizing with email servers via Exchange ActiveSync.

The company also fixed a bug in February that generated connection problems for Outlook.com users on desktop and mobile email clients.