Yesterday Microsoft announced a new critical vulnerability CVE-2023-23397, a vulnerability in Microsoft Outlook that allows a threat actor to harvest NTLMv2 hashes via a specifically crafted Outlook appointment.

Microsoft state that attackers can exploit this vulnerability by sending an email that triggers automatically when it is retrieved and processed by the Outlook client. This can lead to exploitation BEFORE the email is viewed in the Preview Pane.

They also state that this vulnerability is being actively exploited in the wild.

In the interest of quickly checking and triggering patches on affected systems, the below Powershell oneliner will report the patch status and office version on the system it runs on, and if the system is unpatched, it will attempt to run the ClickToRun updater.

Please modify it as required to suite your needs and different office versions. This was written to target Microsoft 365 Apps on Current Channel.

1

$env:computername ; Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object -ExpandProperty VersionToReport | %{if($_ -eq "16.0.16130.20306"){Write-Host -ForegroundColor Green "Patched - Office Version: $_"} else {Write-Host -ForegroundColor Red "Vulnerable - Office Version: $_";  Start-Process -FilePath "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" -ArgumentList {/update user}}}

And across multiple lines for readability:

1
2
3
4
5
6
7
8
9

$env:computername
Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration' | Select-Object -ExpandProperty VersionToReport | %{
    if($_ -eq "16.0.16130.20306"){
        Write-Host -ForegroundColor Green "Patched - Office Version: $_"
    } else {
        Write-Host -ForegroundColor Red "Vulnerable - Office Version: $_"
        Start-Process -FilePath "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe" -ArgumentList {/update user}
    }
}