HowTo-Outlook

Security updates have been released for Exchange 2013, Exchange 2016 and Exchange 2019. They resolve the following 2 vulnerabilities;

• CVE-2019-0586: Microsoft Exchange Memory Corruption Vulnerability
  A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts. Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.
• CVE-2019-0588: Microsoft Exchange Information Disclosure Vulnerability
  An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The attacker would then be able to view additional details about the calendar that would normally be hidden.

View: Description of the security update for Microsoft Exchange Server 2019, 2016, and 2013: January 8, 2019
Download: Security Update For Exchange Server 2013 CU21 (KB4471389)
Download: Security Update For Exchange Server 2016 CU10 (KB4471389)
Download: Security Update For Exchange Server 2016 CU11 (KB4471389)
Download: Security Update For Exchange Server 2019 (KB4471389)

Update Rollup 25 for Exchange 2010 Service Pack 3 is now available. It contains 1 documented new security update and all previously released fixes and security updates for Exchange 2010 SP3. Note that mainstream support for Exchange 2010 has already ended.

• CVE-2019-0588: Microsoft Exchange Information Disclosure Vulnerability
  An information disclosure vulnerability exists when the Microsoft Exchange PowerShell API grants calendar contributors more view permissions than intended. To exploit this vulnerability, an attacker would need to be granted contributor access to an Exchange Calendar by an administrator via PowerShell. The attacker would then be able to view additional details about the calendar that would normally be hidden.

View: Description of Update Rollup 25 for Exchange Server 2010
Download: Update Rollup 25 For Exchange 2010 SP3 (KB4468742)

A Security Update has been released for Outlook 2016 Retail, Outlook 2019 and Office 365. It resolves the following vulnerability;

• CVE-2018-8587
  Which could allow remote code execution via a specially crafted file attachment which must be opened by a user.

Based on your release channel, you’ll be updated to the following version;

• Office 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 1811 (Build 11029.20108)
• Outlook 2019 Volume License
  Version 1808 (Build 10339.20026)
• Office 365 Semi Annual Channel
  Version 1803 (Build 9126-2336)

Note: Depending on your installation type, this update can be installed via the Microsoft Store or the Update Now button in Outlook itself. This update does not apply to msi-based installation of Office 2016.

A Security Update has been released for Outlook 2016. It resolves the following vulnerability;

• CVE-2018-8587
  Which could allow remote code execution via a specially crafted file attachment which must be opened by a user.

This update also contains additional fixes for 2 non-security issues;

• When you attach a file that contains the “&” character in its name to an email message, the “&” character isn’t displayed in the attachment name.
• After you set the DisableCrossAccountCopy policy, you can’t move a folder to another location in the same email account.

View: Download information for KB4461544

Update: An additional update (KB4011722) has been released this month which solves an issue with mail delivery rules stopping to work and opening the Mange Rules & Alerts dialog returns the following error;

The operation failed because of a registry or installation problem. Restart Outlook and try again. If the problem persists, reinstall.

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4783.1000 and the updated release to version 16.0.4783.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.

A Security Update has been released for Outlook 2013. It resolves the following vulnerability;

• CVE-2018-8587
  Which could allow remote code execution via a specially crafted file attachment which must be opened by a user.

View: Download information for KB4461556

Update: An additional update (KB4011029) has been released this month which solves an issue with mail delivery rules stopping to work and opening the Mange Rules & Alerts dialog returns the following error;

The operation failed because of a registry or installation problem. Restart Outlook and try again. If the problem persists, reinstall.

Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5093.1000 and the updated release to version 15.0.5093.1001.

A Security Update has been released for Outlook 2010. It resolves the following vulnerability;

• CVE-2018-8587
  Which could allow remote code execution via a specially crafted file attachment which must be opened by a user.

View: Download information for KB4461576

Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7226.5000.

Security updates have been released for Exchange 2016. It resolves the following vulnerability;

• CVE-2018-8604
  A tampering vulnerability exists when Microsoft Exchange Server fails to properly handle profile data. An attacker who successfully exploited this vulnerability could modify a targeted user’s profile data.

View: Download information for KB4468741

Outlook for Office 365 (Monthly Channel) got the following new features or major changes this month;

• Zoom and stick
  Instead of adjusting Zoom each time you read a message, choose a default to use for all your messages.
• Outlook Async Move Messages
  Performing the move messages asynchronously to increase productivity for the Outlook users.
• Polished the Focused Inbox on and off experiences
  Unread email to show on all folders, not just Inbox when Focused Inbox turned off. Sort by Flag Status added. Better interaction of Focused Inbox with Search: Focused Inbox remains until a search begins. ‘Results’ text shown after a search completes.

Note: Depending on your installation type, this update can be installed via the Microsoft Store or the Update Now button in Outlook itself and updates Outlook to: Version 1811 (Build 11029.20079).

A Security Update has been released for Outlook 2016 Retail, Outlook 2019 and Office 365. It resolves the following 6 vulnerabilities;

• CVE-2018-8522, CVE-2018-8524 and CVE-2018-8576
  Which could allow remote code execution via a specially crafted Office file.
• CVE-2018-8582
  Which could allow remote code execution when importing a specially crafted rwz-file (rules export).
• CVE-2018-8558 and CVE-2018-8579
  Which could lead to information disclosure as users could share anonymously-accessible links to other users via email where these links are intended to be accessed only by specific users.

Based on your release channel, you’ll be updated to the following version;

• Office 365, Outlook 2016 Retail, Outlook 2019 Retail
  Version 1810 (Build 11001.20108)
• Outlook 2019 Volume License
  Version 1808 (Build 10338.20019)
• Office 365 Semi Annual Channel
  Version 1803 (Build 9126-2315)

Note: Depending on your installation type, this update can be installed via the Microsoft Store or the Update Now button in Outlook itself. This update does not apply to msi-based installation of Office 2016.

A Security Update has been released for Outlook 2016. It resolves the vulnerabilities mentioned in CVE-2018-8522, CVE-2018-8524 and CVE-2018-8576 which could allow remote code execution via a specially crafted Office file as well as CVE-2018-8582 which could allow remote code execution when importing a specially crafted rwz-file (rules export).

This update also contains additional fixes for 13 non-security issues. Most notable are;

• When you switch between Mail and Calendar, Outlook 2016 crashes.
• When you reply to or forward an internal email message, the email address is not displayed in the message body. Only the display name is displayed.
• When the primary email address and User Principal Name (UPN) are changed in Active Directory or Azure Active Directory, the old SMTP address and UPN in a user’s Outlook profile file aren’t changed.
• When you reply to an Information Rights Management (IRM)-protected email message, you receive the following error message:
  • The operation failed. The messaging interfaces have returned an unknown error. If the problem persists, restart Outlook. [OK].
• This update allows you to hide the retention policy User Interface (UI). via the SuppressRetentionPolicyUI Registry key.
• This update enables support for TLS version 1.2 for IMAP, POP, and SMTP connections.

View: Download information for KB4461506

Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4756.1001. This update does not apply to Perpetual and Office 365 based installations of Office 2016.