HowTo-Outlook

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

It contains 6 security updates for Excel (2), Word (1) and Office (3). The following vulnerability and its fix also affects Outlook;

• CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability
  A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
  The updates address the vulnerability by correcting how Office handles type libraries.

Note: Some types of Visual Basic for Applications (VBA) references might be affected by this update. For more information, see FAQ for VBA solutions affected by April 2020 Office security updates.

In addition, it contains 1 documented non-security fixes for Outlook Monthly, 2 for Semi-Annual 1908 and 4 for Semi-Annual (Targeted) 2002. Most notable fixes are;

• Monthly and Targeted: Addressed an issue that caused users to occasionally experience a crash when using the X button on the mouse.
• Targeted: Addressed an issue that caused the Save to Cloud button to be missing from Attachment Tools.
• Semi-Annual 1908: Addressed an issue that caused customers to see an empty room list in some scenarios.
• Semi-Annual 1908:
  Addressed an issue that caused users to experience a crash when shutting down Outlook.

Based on your release channel, you’ll be updated to the following version;

• Office 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 2003 (Build 12624.20442)
• Office 365 Semi Annual (Targeted)
  Version 2002 (Build 12527.20442)
• Office 365 Semi Annual
  Version 1908 (Build 11929.20708)
  Version 1902 (Build 11328.20564) 
• Outlook 2019 Volume License
  Version 1808 (Build 10358.20061)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.

A Security Update has been released for Outlook 2016. It resolves the following vulnerability;

• CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability
  A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
  The updates address the vulnerability by correcting how Office handles type libraries.

Note: Some types of Visual Basic for Applications (VBA) references might be affected by this update. For more information, see FAQ for VBA solutions affected by April 2020 Office security updates.

This update also contains 3 additional fixes or improvements for non-security issues;

• Makes updates to the United Kingdom holidays in the Outlook holiday file (Outlook.HOL). If the United Kingdom holidays have been added to your Outlook Desktop calendar, delete the existing events before you apply this update. For more information about how to update holidays, see Holiday updates for the Outlook Calendar.
• Fixes an issue that prevents users from reopening an .msg file after they drag and drop an attachment from that message.
• Fixes an issue in which Outlook makes unnecessary requests to fetch web add-ins from Exchange.

View: Download information for KB4484274

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4993.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.

A Security Update has been released for Outlook 2013. It resolves the following vulnerability;

• CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability
  A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
  The updates address the vulnerability by correcting how Office handles type libraries.

Note: Some types of Visual Basic for Applications (VBA) references might be affected by this update. For more information, see FAQ for VBA solutions affected by April 2020 Office security updates.

View: Download information for KB4484281

Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5233.1000.

A Security Update has been released for Outlook 2010. It resolves the following vulnerability;

• CVE-2020-0760: Microsoft Office Remote Code Execution Vulnerability
  A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  To exploit the vulnerability, an attacker must first convince a user to open a specially crafted Office document.
  The updates address the vulnerability by correcting how Office handles type libraries.

Note: Some types of Visual Basic for Applications (VBA) references might be affected by this update. For more information, see FAQ for VBA solutions affected by April 2020 Office security updates.

View: Download information for KB4484284

Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7248.5000.

Microsoft has just released the March feature update of Outlook for Office 365 (Monthly Channel) and it comes with 2 new features for Outlook and 1 highlighted fix.

• Drag email to a group you own
  Move and copy messages and conversations by dragging them from your inbox. Messages you drag will be shared with all group members.
• New experience for captive wifi networks
  Have you ever joined a wifi network that required a web page to sign in with? Outlook now detects this and helps you get connected. (Woohoo! Finally! )
• Addressed an issue that caused users to see the Outlook process lingering in task manager after exiting.

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook or the Microsoft Store and updates Outlook to: Version 2003 (Build 12624.20320).

Cumulative Update 5 for Exchange 2019 is now available. It contains 2 security updates and 18 additional documented new fixes or improvements, as well as all previously released fixes and security updates for Exchange 2019 and the latest DST updates.

Notable improvements, changes and fixes are;

• KB4552472: Exchange Server 2019 Sizing Calculator version 10.4 is available.
  Version 10.4 of the calculator includes improvements to the logic to detect whether a design is bound by mailbox size (capacity) or throughput (IOPs) which affects the maximum number of mailboxes a database will support.
• KB4547719: MCDB status is “Offline” and SSDs are not formatted.
• KB4547720: Partial word searches not working for mailboxes in Outlook online mode.
• KB4547706: Birthday isn’t correctly synced to iOS native mail app.
• KB4547711: Public folder permissions aren’t applied from Outlook.
• KB4547713: IsOnlineMeeting is always false for Teams-only meetings.
• KB4547723: Can’t sign in to Office 365 if configuring hybrid with Chrome SameSite Cookie enabled.
• KB4536987: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020 which discusses CVE-2020-0692 and CVE-2020-0688. These updates were released separately for CU4 as well.

This release includes no new updates to the Active Directory Schema.
The next planned quarterly update is in June 2020.

Download: Cumulative Update 5 for Exchange Server 2019 (KB4537677) (from MVLC)
View: Description of Cumulative Update 5 for Exchange Server 2019
View: Blog post of the Exchange Team about CU5 for Exchange Server 2019

Cumulative Update 16 for Exchange 2016 is now available. It contains 2 security updates and 13 additional documented new fixes or improvements, as well as all previously released fixes and security updates for Exchange 2016 and the latest DST updates.

Notable improvements, changes and fixes are;

• KB4547706: Birthday isn’t correctly synced to iOS native mail app.
• KB4547711: Public folder permissions aren’t applied from Outlook.
• KB4547713: IsOnlineMeeting is always false for Teams-only meetings.
• KB4547723: Can’t sign in to Office 365 if configuring hybrid with Chrome SameSite Cookie enabled.
• KB4536987: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020 which discusses CVE-2020-0692 and CVE-2020-0688. These updates were released separately for CU15 as well.

This release includes no new updates to the Active Directory Schema.
The next planned quarterly update is in June 2020. 

Download: Cumulative Update 16 for Exchange Server 2016 (KB4537678) (not yet available at the time of writing)
Download: Exchange Server 2016 CU16 UM Language Packs (not yet available at the time of writing)
View: Description of Cumulative Update 16 for Exchange Server 2016
View: Blog post of the Exchange Team about CU16 for Exchange Server 2016

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

It contains 4 security updates for Word.

No fixes were mentioned for any of the Outlook versions but a new Semi-Annual (Targeted) version has been released (Version 2002) which will become the Semi-Annual version in July.

Based on your release channel, you’ll be updated to the following version;

• Office 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 2002 (Build 12527.20278)
• Office 365 Semi Annual (Targeted)
  Version 2002 (Build 12527.20278)
• Office 365 Semi Annual
  Version 1908 (Build 11929.20648)
  Version 1902 (Build 11328.20554) 
• Outlook 2019 Volume License
  Version 1808 (Build 10357.20081)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.

A Rollup Update has been released for Outlook 2016. This is a non-security update which contains the following documented improvements fixes.

• Fixes an issue that causes the user selection for the hash algorithm not to persist.
• Fixes an issue that causes crashes when users run rules on certain email messages.
• Fixes an issue in which Outlook sometimes crashes when you view calendar sharing requests by having “Read all standard mail in plain text” turned on.
• When you send a meeting request that contains attachments, the attachments may be duplicated in the calendar items. This issue occurs when Outlook runs against an Office 365 account in Online mode.
• Fixes an issue that causes Outlook to use an excessive amount of CPU when you view the calendar window and resize the window to a narrower size.
• Fixes an issue that causes some users to experience a crash.

View: Download information for KB4462111

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4978.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.

Security updates have been released for Exchange 2016 and Exchange 2019.

• CVE-2020-0903: Microsoft Exchange Server Spoofing Vulnerability
  A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server.
  The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the Exchange server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.
  The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.

View: Description of the security update for Microsoft Exchange Server 2019 and 2016: March 10, 2020
Download: Security Update For Exchange Server 2019 CU4 (KB4540123)
Download: Security Update For Exchange Server 2019 CU3 (KB4540123)
Download: Security Update For Exchange Server 2016 CU15 (KB4540123)
Download: Security Update For Exchange Server 2016 CU14 (KB4540123)