Outlook 2016 (MSI) Security Update for November 2018

A Security Update has been released for Outlook 2016. It resolves the vulnerabilities mentioned in CVE-2018-8522, CVE-2018-8524 and CVE-2018-8576 which could allow remote code execution via a specially crafted Office file as well as CVE-2018-8582 which could allow remote code execution when importing a specially crafted rwz-file (rules export).

This update also contains additional fixes for 13 non-security issues. Most notable are;

  • When you switch between Mail and Calendar, Outlook 2016 crashes.
  • When you reply to or forward an internal email message, the email address is not displayed in the message body. Only the display name is displayed.
  • When the primary email address and User Principal Name (UPN) are changed in Active Directory or Azure Active Directory, the old SMTP address and UPN in a user’s Outlook profile file aren’t changed.
  • When you reply to an Information Rights Management (IRM)-protected email message, you receive the following error message:
    • The operation failed. The messaging interfaces have returned an unknown error. If the problem persists, restart Outlook. [OK].
  • This update allows you to hide the retention policy User Interface (UI). via the SuppressRetentionPolicyUI Registry key.
  • This update enables support for TLS version 1.2 for IMAP, POP, and SMTP connections.

View: Download information for KB4461506

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4756.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.