HowTo-Outlook

Security updates have been released for Exchange 2016 and Exchange 2019.

• CVE-2020-16875: Microsoft Exchange Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.
  Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
  The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

View: Description of the security update for Microsoft Exchange Server 2019 and 2016: September 8, 2020
Download: Security Update For Exchange Server 2019 CU6 (KB4577352)
Download: Security Update For Exchange Server 2019 CU5 (KB4577352)
Download: Security Update For Exchange Server 2016 CU17 (KB4577352)
Download: Security Update For Exchange Server 2016 CU16 (KB4577352)

On the final day of August, Microsoft released the August feature update of Outlook for Microsoft 365 Apps in the Current Channel (previously known as the Office 365 Monthly Channel).

It comes with 2 new features for Outlook and 13 highlighted fixes (of which 2 were also included in last week’s bug fix release for Version 2007). The new features and notable fixes are listed below;

• Improved links in email
  When you include a link to a file, the file name replaces the URL. You can change permissions so all recipients have access.
• Natural Language Support in Search
  With the implementation of Natural Language Support in Search, users can easily filter their search results without remembering specific search syntax.
• Fixes an issue that caused users who attempted to create a meeting request from a secondary account added to their profile to not see a blank From: field instead of their email address.
• Addressed an issue that caused meetings to fail to be removed from a manager’s calendar when declined by a delegate in some circumstances.
• Fixes an issue that caused users to experience occasional crashes when interacting with Cloud attachments.
• Addressed an issue that caused users of some character sets to see file names display incorrectly when adding a Smart Link to a SharePoint file.
• Addressed an issue that caused some users to see the Scheduling Assistant page fail to display.
• Fixes an issue that caused users to see anomalies when using the compact view.
• Addressed an issue that caused the right-click context menu to fail to appear in the search controls.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2008 (Build 13127.20296).

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of a Microsoft 365 subscription.

It contains 13 security updates for Access (1), Excel (5), Outlook (2), Word (3) and Office (2). The Details about the Outlook vulnerability;

• CVE-2020-1483: Microsoft Outlook Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.
• CVE-2020-1493: Microsoft Outlook Information Disclosure Vulnerability
  An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
  To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.
  The security update addresses the vulnerability by correcting how Outlook handles file attachment links.

In addition, it contains 2 documented non-security fixes for Outlook Current, 4 features and 7 fixes for Monthly Enterprise 2005, 1 for Semi-Annual 2002. Most notable fixes are;

• Version 2007
  Addressed an issue that caused Outlook to fail to retrieve search suggestions.
• Version 2007
  Addressed an issue that caused users to occasionally crash when retrieving persona information.
• Version 2006 –  New option to disable @ mention suggestions when composing mail in Outlook
  Do you find the @ mention picker more annoying than useful? Now you can turn it off if you prefer.
  File-> Options-> Mail-> section: Send Messages-> Suggest names to mention when I use the @ symbol in a message.
• Version 2006 – Keep your pictures high fidelity when sending them as part of an email
  A new Outlook setting is available to limit picture compression when you send pictures as part of the email contents.
  File-> Options-> Mail-> Editor Options…-> Advanced-> enable: Do not compress images in file
• Version 2006
  Addresses an issue that caused users to see the creation date of attachments that they copied to their file system via drag and drop getting set to January 1, 4501.
• Version 2002
  Addressed an issue that caused a significant performance issue when starting Outlook for some tenants.

Based on your release channel, you’ll be updated to the following version;

• Microsoft 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 2007 (Build 13029.20344)
• Monthly Enterprise
  Version 2006 (Build 13001.20520)
  Version 2005 (Build 12827.20656)
• Semi-Annual Enterprise (Preview)
  Version 2002 (Build 12527.20988)
• Semi-Annual Enterprise
  Version 2002 (Build 12527.20988)
  Version 1908 (Build 11929.20934)
  Version 1902 (Build 11328.20644)
• Outlook 2019 Volume License
  Version 1808 (Build 10364.20059)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.

A Security Update has been released for Outlook 2016. It resolves the following vulnerabilities;

• CVE-2020-1483: Microsoft Outlook Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.
• CVE-2020-1493: Microsoft Outlook Information Disclosure Vulnerability
  An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
  To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.
  The security update addresses the vulnerability by correcting how Outlook handles file attachment links.

This update contains 2 additional fixes or improvements for non-security issues;

• Fixes an issue that causes Outlook users to be unable to send a message as (or on behalf of) a hidden distribution list.
• Fixes an issue that causes the creation date of an attachment to be set to “January 1, 4501” if a user copies the attachment to the file system through a drag-and-drop action.

View: Download information for KB4484475

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.5044.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.

A Security Update has been released for Outlook 2013. It resolves the following vulnerabilities;

• CVE-2020-1483: Microsoft Outlook Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.
• CVE-2020-1493: Microsoft Outlook Information Disclosure Vulnerability
  An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
  To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.
  The security update addresses the vulnerability by correcting how Outlook handles file attachment links.

View: Download information for KB4484486

Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5267.1000.

A Security Update has been released for Outlook 2010. It resolves the following vulnerabilities;

• CVE-2020-1483: Microsoft Outlook Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.
• CVE-2020-1493: Microsoft Outlook Information Disclosure Vulnerability
  An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
  To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.
  The security update addresses the vulnerability by correcting how Outlook handles file attachment links.

View: Download information for KB4484475

Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7256.5000.

Right before the end of July Microsoft released the July feature update of Outlook for Microsoft 365 Apps in the Current Channel (previously known as the Office 365 Monthly Channel).

It comes with 3 new features for Outlook and 6 highlighted fixes and 1 which also was in the bug fix update for Version 2006 that was released 2 days ago.

• Create polls in Outlook with Quick Poll
  Easily create a poll, collect votes, and view results within an email.
  • New Email-> Insert-> Poll
  • and
    New Email-> Options-> Use Voting Buttons-> Poll
• Keep your pictures high fidelity when sending them as part of an email
  A new Outlook setting is available to limit picture compression when you send pictures as part of the email contents.
  File-> Options-> Mail-> Editor Options…-> Advanced-> enable: Do not compress images in file

• Quickly reopen items from previous session
  We added an option to quickly reopen items from a previous Outlook session. Whether Outlook crashes or you close it, you’ll now be able to quickly relaunch items when you reopen the app. This feature is on by default. To turn it off, go to File-> Options-> General-> Start up Options-> When Outlook opens

  

• Addressed an issue that caused users of CLP (Information Protection; Classification, Labeling and Protection) to experience a crash when switching the from address on a reply from a protected context to an unprotected one.
• Addressed an issue that caused the “Allow Forwarding” option to be missing from shared calendar meeting “Response Options” when Download Shared folder was NOT checked.
• Addressed an issue that caused delegates to receive an error when editing an existing calendar appointment on a manager’s calendar.
• Addressed an issue that caused users to be unable to save OneDrive attachments from outside their tenant to their local computer when selecting the “Save” option on the security dialog.
• Addressed an issue that caused the Scheduling Assistant page to fail to display.
• Addressed an issue that caused formatting problems in incident notification alerts.
• We fixed an issue for copy and paste SVG image (previously fixed in Version 2006).

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2007 (Build 13029.20308).

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of a Microsoft 365 subscription.

It contains 8 security updates for Excel (1), Outlook (1), Project (1), Word (4) and Office (1). The Details about the Outlook vulnerability;

• CVE-2020-1349: Microsoft Outlook Remote Code Execution Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.

In addition, it contains 1 documented non-security fixes for Outlook Current, 1 feature and 10 fixes for Monthly Enterprise 2005, 12 for Semi-Annual (Preview) 2002 and 44 for Semi-Annual 1908. Most notable fixes are;

• Version 2006 and 2002
  Addressed an issue that caused users to be unable to save OneDrive attachments from outside their tenant to their local computer when selecting the “Save” option on the security dialog.
• Version 2005 – Better results—in a jiffy
  We’ve updated the Search experience to make it smarter, faster, and more reliable than ever.
• Version 2005
  Addresses an issue that caused users to see Outlook continuously prompt them to run the Inbox Repair tool.
• Version 2005, 2002 and 1908
  Addresses an issue that caused users to see the “The rules on this computer do not match the rules on Microsoft Exchange” message when updating their rules in Outlook.
• Version 2002
  Addressed an issue that caused recurring appointments or meetings to be displayed at the wrong time when approaching a timezone definition change.
• Version 2002
  Addressed an issue that caused delegates to receive an error when editing an existing calendar appointment on a manager’s calendar.
• Version 1908
  This updates the attachment blocking logic in Outlook to also block python attachments.
• Version 1908
  Addresses an issue that caused Outlook users to get stuck in the “Needs Password” state in certain scenarios.

Version 2002 has now also been released to the Semi-Annual Enterprise Channel and contains 12 highlighted new feature and 61 fixes which have been made available already to the other release channels.

Based on your release channel, you’ll be updated to the following version;

• Office 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 2006 (Build 13001.20384)
• Office 365 Monthly Enterprise
  Version 2005 (Build 12827.20538)
  Version 2004 (Build 12730.20602)
• Office 365 Semi-Annual Enterprise (Preview)
  Version 2002 (Build 12527.20880)
• Office 365 Semi-Annual Enterprise
  Version 2002 (Build 12527.20880)
  Version 1908 (Build 11929.20904)
  Version 1902 (Build 11328.20624)
• Outlook 2019 Volume License
  Version 1808 (Build 10363.20015)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.

A Security Update has been released for Outlook 2016. It resolves the following vulnerability;

• CVE-2020-1349: Microsoft Outlook Remote Code Execution Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.

This update also contains 4 additional fixes or improvements for non-security issues;

• Improves translations in the German version of Outlook 2016.
• Fixed: Internet Message Access Protocol (IMAP) users see Outlook stop syncing new email messages until they restart Outlook.
• Fixed: Users who are changing items on a manager’s shared calendar may receive the following error message: “The operation cannot be performed because the message has been changed.”
• Fixed: Users experience crashes when they open .msg and .oft files after they apply a recent Windows update.

View: Download information for KB4484433

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.5017.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.

A Security Update has been released for Outlook 2013. It resolves the following vulnerability;

• CVE-2020-1349: Microsoft Outlook Remote Code Execution Vulnerability
  A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
  To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
  Note that the Preview Pane is an attack vector for this vulnerability.
  The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.

View: Download information for KB4484363

Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5257.1000.