A Security Update has been released for Outlook 2016. It resolves the vulnerabilities mentioned in CVE-2018-8522, CVE-2018-8524 and CVE-2018-8576 which could allow remote code execution via a specially crafted Office file as well as CVE-2018-8582 which could allow remote code execution when importing a specially crafted rwz-file (rules export).
This update also contains additional fixes for 13 non-security issues. Most notable are;
- When you switch between Mail and Calendar, Outlook 2016 crashes.
- When you reply to or forward an internal email message, the email address is not displayed in the message body. Only the display name is displayed.
- When the primary email address and User Principal Name (UPN) are changed in Active Directory or Azure Active Directory, the old SMTP address and UPN in a user’s Outlook profile file aren’t changed.
- When you reply to an Information Rights Management (IRM)-protected email message, you receive the following error message:
- The operation failed. The messaging interfaces have returned an unknown error. If the problem persists, restart Outlook. [OK].
- This update allows you to hide the retention policy User Interface (UI). via the SuppressRetentionPolicyUI Registry key.
- This update enables support for TLS version 1.2 for IMAP, POP, and SMTP connections.
Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4756.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.