HowTo-Outlook

Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.

The updates fix the following vulnerabilities;

• CVE-2023-21745: Spoofing Vulnerability
• CVE-2023-21761: Information Disclosure Vulnerability
• CVE-2023-21762: Spoofing Vulnerability
• CVE-2023-21763: Elevation of Privilege Vulnerability
• CVE-2023-21764: Elevation of Privilege Vulnerability

None of the vulnerabilities are currently publicly disclosed or exploited. However, CVE-2023-21745 is rated as “Exploitation More Likely” so make sure you update as soon as possible!

From the above vulnerabilities, Exchange 2013 is only affected by CVE-2023-21762. Note however that Exchange 2013 will go out of support on April 11, 2023 so make sure you have your migration plan in order to remain supported.

This release introduces a new feature called; Certificate signing of PowerShell serialization payload in Exchange Server. In short, this helps defend Exchange servers against attacks on serialized data. This feature must be enabled manually but there is a script available for it as well.

The updates also contain the following non-security issues;

• Store Worker Process stops and returns “System.NullReferenceExceptions” multiple times per day (Exchange 2019 and Exchange 2016)
• Can’t record or play in Exchange Unified Messaging (Exchange 2016 and Exchange 2013)
• Exchange Application log is flooded with Event ID 6010 (Exchange 2016)

View: Exchange Blog: Released: Released: January 2023 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019: January 10, 2023 (KB5022193)
View: Description of the security update for Microsoft Exchange Server 2016: January 10, 2023 (KB5022143)
View: Description of the security update for Microsoft Exchange Server 2013: January 10, 2023 (KB5022188)

Download: Security Update for Exchange 2019 CU11 and CU12
Download: Security Update for Exchange 2016 CU23
Download: Security Update for Exchange 2013 CU23

We’re already into the New Year, but Microsoft has now released the December 2022 feature update of Outlook for Microsoft 365 Apps in the Current Channel.

Considering the holidays, it is no surprise that this update is quite light on feature updates and fixes.

Nevertheless, Word got a very cool new feature where you can turn your comment into a task for a team member.

• Tag your team members with tasks
  Create and assign tasks without leaving Word. Simply add a comment, @mention your team member, press Ctrl + Enter, and check Assign. Your comment becomes a task, and your work is done!

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2212 (Build 15928.20198).

The December security and rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019, Outlook 2021 and Outlook as part of a Microsoft 365 subscription.

It contains 11 security updates for OneNote (1), Visio (3) and Office (7).

In addition, it contains 1 documented non-security fix related to Outlook Monthly Enterprise Version 2210, 4 fixes for Semi-Annual Preview Version 2208, and 2 fixes for Semi-Annual Version 2202.

• Version 2210
  • We fixed an issue that caused emails to get stuck in the outbox for some profiles with multiple Exchange accounts configured.
• Version 2208
  • We fixed an issue that was causing users to see multiple copies of a shared calendar rendered in certain circumstances.
  • Resolved an issue where Outlook would close unexpectedly when clicking on certain email messages with Word document attachments and the reading pane is set to “Right”.
• Version 2208 and Version 2202
  • We defined a Registry key that when set fixes an issue that prevented messages from being sent when Outlook is running with multiple Exchange accounts and at least one of them is in Online mode (as opposed to cached mode.)
    • Key: HkCU\Software\Microsoft\Office\16.0\Outlook\RPC
    • Value Name: UseInclusiveGlobalOfflineCapabilities
    • Value type: REG_DWORD
    • Value (Default): 0
    • Value 1 = Adjusts the Global Offline Capabilities for profiles with Exchange accounts, so that they are less restrictively aggregated/computed.
  • We fixed an issue that caused users to see copies of all of their sent items appearing in their Outbox folder.

Based on your release channel, you’ll be updated to the following version;

• Microsoft 365 Apps, Outlook 2016 Retail, Outlook 2019 Retail, Outlook 2021 Retail
  Version 2211 (Build 15831.20208)
• Monthly Enterprise
  Version 2210 (Build 15726.20262)
  Version 2209 (Build 15629.20298)
• Semi-Annual Enterprise (Preview)
  Version 2208 (Build 15601.20378)
• Semi-Annual Enterprise
  Version 2202 (Build 14931.20858)
  Version 2108 (Build 14326.21248) 
• Outlook LTSC 2021
  Version 2108 (Build 14332.20435)
• Outlook 2019 Volume Licensed
  Version 1808 (Build 10393.20026)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.

A week late, but Microsoft finally released the November feature update of Outlook for Microsoft 365 Apps in the Current Channel.

This month’s update is very minimal when it comes to Outlook as there is only 1 new (enterprise) feature an 1 highlighted bug fix.

• S/MIME as an Outcome for labelling
  Providing S/MIME encryption and signing functionality as an outcome of labelling.
• We fixed an issue that caused the focus on the message list to be lost when using CTRL+Tab to navigate from a folder in one mailbox to a folder in another mailbox.

Excel got another exciting update this month with the following new feature;

• Insert in-cell images with the new IMAGE function
  Your images can now be part of the worksheet, instead of floating on top. You can move and resize cells, sort and filter, and work with images within an Excel table.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2211 (Build 15831.20190).

The November security and rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019, Outlook 2021 and Outlook as part of a Microsoft 365 subscription.

It contains 8 security updates for Excel (3), Word (3) and Office (2).

In addition, it contains 6 documented non-security fixes related to Outlook Monthly Enterprise Version 2209 , and 2 fixes for Monthly Enterprise Version 2202.

• Version 2209
  • We fixed an issue that caused Outlook to close unexpectedly when submitting feedback.
  • We fixed an issue that caused users who disabled service notifications to see a deprecated UI showing notifications service disabled.
  • We fixed and issue that caused users to experience a close unexpectedly shortly after boot.
  • We fixed an issue that caused users to experience a close unexpectedly on bringing up some persona cards.
  • We fixed an issue that caused emails to get stuck in the outbox for some profiles with multiple Exchange accounts configured.
  • We fixed an issue that caused users to experience a close unexpectedly when switching views in the calendar module.
• Version 2202
  • We fixed an issue that caused users to experience a close unexpectedly when clicking on “Feedback.”
  • We fixed an issue that caused mails outside of the client sync window to be lost when moving a folder from a cached Outlook profile to the Online Archive.

Based on your release channel, you’ll be updated to the following version;

• Microsoft 365 Apps, Outlook 2016 Retail, Outlook 2019 Retail, Outlook 2021 Retail
  Version 2210 (Build 15726.20202)
• Monthly Enterprise
  Version 2209 (Build 15629.20258)
  Version 2208 (Build 15601.20286)
• Semi-Annual Enterprise (Preview)
  Version 2208 (Build 15601.20286)
• Semi-Annual Enterprise
  Version 2202 (Build 14931.20806)
  Version 2108 (Build 14326.21200) 
• Outlook LTSC 2021
  Version 2108 (Build 14332.20416)
• Outlook 2019 Volume Licensed
  Version 1808 (Build 10392.20029)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.

Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.

The updates fix the following vulnerabilities;

• CVE-2022-41040: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-41082: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-41078: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-41123: Microsoft Exchange Server Elevation of Privilege Vulnerability
• CVE-2022-41079: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-41080: Microsoft Exchange Server Elevation of Privilege Vulnerability

Note that this Security Update also addresses the zero-day vulnerabilities of September 29 (CVE-2022-41040 and CVE-2022-41082). If you have the mitigations for those applied as instructed in a previous blog post by the Exchange Team, you can keep those applied or remove them after installing the updates.

Even with these mitigations applied, it is important to apply these updates with the actual code-level fixes as soon as possible as these vulnerabilities as actively exploited! Also, 3 of the other vulnerabilities have a rating of “Exploitation More Likely”.

The updates also contain the following non-security issues;

• Delivery Report search from ECP might fail with IIS logs showing SEC_E_BAD_BINDINGS in a cross-site scenario after enabling Extended Protection
• Export-UMPrompt could fail with InvalidResponseException

View: Exchange Blog: Released: November 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: November 8, 2022 (KB5019758)

Download: Security Update for Exchange 2019 CU11 and CU12
Download: Security Update for Exchange 2016 CU22 and CU23
Download: Security Update for Exchange 2013 CU23

Microsoft released the October feature update of Outlook for Microsoft 365 Apps in the Current Channel.

This month’s update is very minimal when it comes to Outlook as there is only 1 highlighted bug fix and again no new features.

• We fixed an issue that caused emails to get stuck in the outbox for some profiles with multiple Exchange accounts configured.

Excel got a much more exciting update this month with the following new feature;

• Get data for your workbooks by importing an image
  Turn images with text into content you can edit in Excel. With the Data from Picture feature, you can convert the information in an image to data on a worksheet.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2210 (Build 15726.20174).

The October security and rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019, Outlook 2021 and Outlook as part of a Microsoft 365 subscription.

It contains 4 security updates for Word (3) and Office (1).

In addition, it contains 1 documented non-security fixes related to Outlook Current Version 2209, 12 fixes for Monthly Enterprise Version 2208, and 6 fixes for Semi-Annual Preview Version 2208. Most notable fixes are;

• Version 2209
• We fixed an issue that caused emails to get stuck in the outbox for some profiles with multiple Exchange accounts configured.
• Version 2208 (Monthly Enterprise and Semi-Annual Preview)
• We fixed an issue that caused Modern Groups related dialogs to be heavily broken.
• We fixed an issue that caused users to experience a close unexpectedly on bringing up some persona cards.
• Version 2208 Enterprise
• We fixed an issue that caused users to be unable to load linked images when replying to or forwarding a message.
• We fixed an issue where Outlook couldn’t open a message that was sent using Outlook on the web and contained a comment that was copied from Word.
• We fixed an issue related to rendering SVG graphics in Outlook.

One of the fixes mentioned for Monthly Enterprise Version 2208 could actually be considered a new feature instead;

• Every Meeting Online option for third party meeting applications
  This change enables the Every Meeting Online option for third party meeting applications.
• File-> Options-> Calendar-> Add online meeting to all meetings: Add Meeting Provider…
• Supported are; Zoom for Outlook, Cisco WebEx Scheduler, BlueJeans Meetings, GoTo for Outlook, Google Meet, and JioMeet for Outlook.

Based on your release channel, you’ll be updated to the following version;

• Microsoft 365 Apps, Outlook 2016 Retail, Outlook 2019 Retail, Outlook 2021 Retail
  Version 2209 (Build 15629.20208)
• Monthly Enterprise
  Version 2208 (Build 15601.20230)
  Version 2207 (Build 15427.20308)
• Semi-Annual Enterprise (Preview)
  Version 2208 (Build 15601.20230)
• Semi-Annual Enterprise
  Version 2202 (Build 14931.20764)
  Version 2108 (Build 14326.21186) 
• Outlook LTSC 2021
  Version 2108 (Build 14332.20400)
• Outlook 2019 Volume Licensed
  Version 1808 (Build 10391.20029)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.

Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019.

The updates fix the following vulnerabilities;

• CVE-2022-21979: Microsoft Exchange Information Disclosure Vulnerability 
• CVE-2022-21980: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-24477: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-24516: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-30134: Microsoft Exchange Server Elevation of Privilege Vulnerability 
• CVE-2022-34692: Microsoft Exchange Information Disclosure Vulnerability

None of the vulnerabilities are currently publicly disclosed nor being exploited. However, for 3 of the vulnerabilities the exploitability assessment is regarded as “More Likely”, so it is important to update as soon as possible.

You might have recognized that these are the same vulnerabilities as from the Security Updates for August. That re-release is due to address a known issue.

Note however that this Security Update does not address the zero-day vulnerabilities of September 29 (CVE-2022-41040 and CVE-2022-41082). You’d still need to have the mitigations for those applied as instructed in a previous blog post by the Exchange Team.

In addition to installing the update, you must also enable Windows Extended Protection to protect yourself from the vulnerabilities. This is unfortunately not a simple thing to enable as it is not compatible with all configurations. Therefor, make sure you carefully read the Extended Protection documentation and use the provided script to enable it.

The updates also contain the following non-security issues;

• KB5019807: Can’t finish the E-discovery process for an on-premises mailbox
• KB5019808: E-Discovery search fails in Exchange Online

View: Exchange Blog: Released: October 2022 Exchange Server Security Updates
View: Description of the security update for Microsoft Exchange Server 2019 and 2016: October 11, 2022 (KB5019077)
View: Description of the security update for Microsoft Exchange Server 2013: October 11, 2022 (KB5019076)

Download: Security Update for Exchange 2019 CU11 and CU12
Download: Security Update for Exchange 2016 CU22 and CU23
Download: Security Update for Exchange 2013 CU23

Microsoft released the September feature update of Outlook for Microsoft 365 Apps in the Current Channel.

This month’s update is again a bit unexciting for Outlook as there are only 5 highlighted bug fixes and no new features.

• We fixed an issue that caused users to experience a close unexpectedly when switching views in the calendar module.
• We fixed an issue that caused Modern Groups related dialogs to be heavily broken.
• We fixed and issue that caused users to experience a close unexpectedly shortly after boot.
• We fixed an issue that caused users who disabled service notifications to see a deprecated UI showing notifications service disabled.
• We fixed an issue that caused Outlook to close unexpectedly when submitting feedback.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2209 (Build 15629.20156).