Microsoft fixes VDI bug that made Outlook crash

Microsoft recently fixed an issue in Outlook in which the popular email program would crash because of a bug in Outlook’s virtual desk infrastructure (VDI).

While technically more of a business continuity issue, security pros said teams should take care of this patch because it creates dangerous blind spots that hackers look to exploit.

“When email systems are down or unreliable, employees often turn to unsecured alternatives such as personal email or messaging apps, which opens up new attack vectors that bypass corporate security controls,” said J. Stephen Kowski, Field CTO at SlashNext Email Security.

Kowski said the real risk comes from the chaos: IT teams scrambling to fix crashes while users find workarounds, creating the perfect storm for phishing attacks and social engineering attempts that slip through the cracks.

According to a June 24 Microsoft advisory, the VDI issue occurs because Outlook cannot open the Forms Library, a location where users can create customized email messages. The company said this issue can occur for Outlook on all Microsoft 365 Office channels.

Microsoft addressed the bug across multiple channels: fixed versions were released for Current Channel Preview, Monthly Enterprise Channel, Semi-Annual Enterprise Channel, Outlook 2021, and Outlook 2024 users. It will also release "non-security" updates to fix the VDI bug for Outlook 2016 and Outlook 2019 on July 1st (for Outlook 2016) and July 8th (for Outlook 2019).

David Matalon, chief executive officer at Venn, added that this Outlook crash points out a clear example of the instability and issues that arise when working with VDI and similar remote hosting technologies to run essential business apps.

“Traditional VDI tools host apps and data remotely, routing every click and keystroke from the endpoint to a data center – and then back to the endpoint,” explained Matalon. “It’s a reminder why IT leaders should explore strategies that allow business applications to run locally on the user’s device.”

In its advisory, Microsoft said teams can potentially execute a workaround by creating the FORMS2 folder. This folder exists at C:\Users\<username>\AppData\Local\Microsoft\FORMS2. 

To create the folder, Microsoft says to do the following: