A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of a Microsoft 365 subscription.
It contains 13 security updates for Access (1), Excel (3), Outlook (2), Word (1) and Office (6).
The Details about the Outlook vulnerabilities;
- CVE-2020-16947: Microsoft Outlook Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
Note that the Preview Pane is an attack vector for this vulnerability.
The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory. - CVE-2020-16949: Microsoft Outlook Denial of Service Vulnerability
A denial of service vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could cause a remote denial of service against a system.
Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Outlook server.
The security update addresses the vulnerability by correcting how Microsoft Outlook handles objects in memory.
In addition, it contains no documented non-security fixes for Outlook Current Version 2009 (but there were 3 fixes last week), 2 features and 15 fixes for Monthly Enterprise 2008 and 4 fixes for Semi-Annual (Preview) Version 2008. Most notable are;
- Version 2008 – Create polls in Outlook with Quick Poll
Easily create a poll, collect votes, and view results within an email. - Version 2008 – New profile card for Outlook
New profile card for Outlook including a better Organization view and matches the card style of Outlook Web. - Version 2009
Addresses an issue that caused some users to observe Outlook unexpectedly starting in an offline state. - Version 2008
Addresses an issue that caused users to be unable to close shared calendars by clicking on the “X” in the corner. - Version 2008
Fixes an issue that caused users to see anomalies when using the compact view. - Version 2008
Addressed an issue that caused meetings to fail to be removed from a manager’s calendar when declined by a delegate in some circumstances.
Based on your release channel, you’ll be updated to the following version;
- Microsoft 365 Apps, Outlook 2016 Retail, Outlook 2019 Retail
Version 2009 (Build 13231.20390) - Monthly Enterprise
Version 2008 (Build 13127.20638)
Version 2007 (Build 13029.20708) - Semi-Annual Enterprise (Preview)
Version 2008 (Build 13127.20638) - Semi-Annual Enterprise
Version 2002 (Build 12527.21236)
Version 1908 (Build 11929.20966) - Outlook 2019 Volume License
Version 1808 (Build 10367.20048)
Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.
