A Security Update has been released for Outlook 2010. It resolves the following 2 vulnerabilities and includes 1 additional non-security fix;
- CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
- CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
- Fix: The Notes and Message fields in some Outlook Items that are created by migration tools may not be editable.
Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7236.5000.