A Security Update has been released for Outlook 2016. It resolves the following 2 vulnerabilities and includes 6 additional non-security improvements or fixes;
- CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
- CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
- Improved translations for all language versions of Outlook 2016.
- Fix: In certain circumstances, such as switching folders or clearing search results, you see a black rectangle instead of the message list scroll bar.
- Fix: The Notes and Message fields in some Outlook Items that are created by migration tools may not be editable.
- Fix: The first time that you switch to Calendar view after you log in to Outlook, the primary calendar is not selected by default. Instead, a shared calendar is selected.
- Fix: When you save a single attachment by using the context menu, users are not notified if the operations fails.
- Fix: If a user sends an email message that contains combined languages in the Subject line, and a recipient sends a read receipt to the message, the original sender may see broken text in the Subject line of the read receipt. This update adds the ReadReceiptSubjectUseEnglish registry key to force the Subject line of a read receipt to be in English. To fix this issue, set the following registry key in Group Policy to fix this issue for all users:
- Location: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences
- Name: ReadReceiptSubjectUseEnglish
- Type: DWORD
- Value data: 1
Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4888.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.