Outlook 2016 / 2019 / 365 Update for August 2019

News

A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

It contains 6 security updates for Outlook (3), Word (2) and Office (1). Details about the Outlook vulnerabilities;

  • CVE-2019-1199: Microsoft Outlook Memory Corruption Vulnerability
    A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is an attack vector for this vulnerability
  • CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
    A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
  • CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
    An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.

Based on your release channel, you’ll be updated to the following version;

  • Office 365, Outlook 2016 Retail, Outlook 2019 Retail
    Version 1907 (Build 11901.20218)
  • Outlook 2019 Volume License
    Version 1808 (Build 10349.20017)
  • Office 365 Semi Annual Channel
    Version 1902 (Build 11328.20392)
    Version 1808 (Build 10730.20370)
    Version 1803 (Build 9126.2432)

Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.


       


      Outlook 2016 Security Update for August 2019

      News

      A Security Update has been released for Outlook 2016. It resolves the following 2 vulnerabilities and includes 6 additional non-security improvements or fixes;

      • CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
        A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
      • CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
        An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
      • Improved translations for all language versions of Outlook 2016.
      • Fix: In certain circumstances, such as switching folders or clearing search results, you see a black rectangle instead of the message list scroll bar.
      • Fix: The Notes and Message fields in some Outlook Items that are created by migration tools may not be editable.
      • Fix: The first time that you switch to Calendar view after you log in to Outlook, the primary calendar is not selected by default. Instead, a shared calendar is selected.
      • Fix: When you save a single attachment by using the context menu, users are not notified if the operations fails.
      • Fix: If a user sends an email message that contains combined languages in the Subject line, and a recipient sends a read receipt to the message, the original sender may see broken text in the Subject line of the read receipt. This update adds the ReadReceiptSubjectUseEnglish registry key to force the Subject line of a read receipt to be in English. To fix this issue, set the following registry key in Group Policy to fix this issue for all users:
        • Location: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences
        • Name: ReadReceiptSubjectUseEnglish
        • Type: DWORD
        • Value data: 1

      View: Download information for KB4475553

      Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4888.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.


      Outlook 2013 Security Update for August 2019

      News

      A Security Update has been released for Outlook 2013. It resolves the following 2 vulnerabilities and includes 2 additional non-security improvements or fixes;

      • CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
        A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
      • CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
        An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
      • Improved translations for all language versions of Outlook 2013.
      • Fix: The Notes and Message fields in some Outlook Items that are created by migration tools may not be editable.

      View: Download information for KB4475563

      Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5163.1000.


      Sperry Software
      Use "BH93RF24" to get a discount when ordering!

      Outlook 2010 Security Update for August 2019

      News

      A Security Update has been released for Outlook 2010. It resolves the following 2 vulnerabilities and includes 1 additional non-security fix;

      • CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
        A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability.
      • CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
        An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
      • Fix: The Notes and Message fields in some Outlook Items that are created by migration tools may not be editable.

      View: Download information for KB4475573

      Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7236.5000.


      Outlook for Office 365 Feature Update for July 2019

      News

      The July feature update of Outlook for Office 365 (Monthly Channel) is now available and it comes with one major change for Outlook.

      • Get email suggestions when you search for a person
        When you type a person’s name in the Search box, the most relevant email messages will be included with your search suggestions.

      Word, Excel and PowerPoint also a got a couple of new features. The one that I’m quite happy about and which applies to all 3 applications is;

      • No more bouncing to the browser
        You decide how links to Office documents open: in the browser or in the app.
        Files-> Options-> Advanced-> Open supported hyperlinks to Office files in Office desktop apps

      Note: Depending on your installation type, this update can be installed via the Microsoft Store or the Update Now button in Outlook itself and updates Outlook to: Version 1907 (Build 11901.20176).


      Outlook 2016 / 2019 / 365 Update for July 2019

      News

      A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.

      It contains 6 security updates for Excel (3), Outlook (1), Skype (1) and Office (1). Details about the Outlook vulnerability;

      • CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability (All)
        An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.

      In addition, an Outlook issue has been addressed that caused current folder search to intermittently fail.

      Based on your release channel, you’ll be updated to the following version;

      • Office 365, Outlook 2016 Retail, Outlook 2019 Retail
        Version 1906 (Build 11727.20244)
      • Outlook 2019 Volume License
        Version 1808 (Build 10348.20020)
      • Office 365 Semi Annual Channel
        Version 1902 (Build 11328.20368)
        Version 1808 (Build 10730.20360)
        Version 1803 (Build 9126.2428)

      Note: Depending on your installation type, this update can be installed via the Microsoft Store or the Update Now button in Outlook itself. This update does not apply to msi-based installation of Office 2016.


      Outlook 2016 Security Update for July 2019

      News

      A Security Update has been released for Outlook 2016. It resolves the following vulnerability;

      • CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability (All)
        An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.

      Additionally, the holiday file (Outlook.HOL) has been updated to extend the date range to the year 2026 for many events. To update your holidays, you’ll have to remove the current ones from your Calendar and re-import them. For more info see; Holiday updates for the Outlook Calendar.

      There is also a fix for an issue where Categories that are set on items in a shared mailbox may not be synced to the server and other clients.

      View: Download information for KB4475517

      Note: This update can be installed via Microsoft Update and updates Outlook to version 16.0.4873.1000. This update does not apply to Perpetual and Office 365 based installations of Office 2016.


      Outlook 2013 Security Update for July 2019

      News

      A Security Update has been released for Outlook 2013. It resolves the following vulnerability;

      • CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability (All)
        An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.

      Additionally, the holiday file (Outlook.HOL) has been updated to extend the date range to the year 2026 for many events. To update your holidays, you’ll have to remove the current ones from your Calendar and re-import them. For more info see; Holiday updates for the Outlook Calendar.

      View: Download information for KB4464592

      Note: This update can be installed via Microsoft Update or the Update Now button when you are using Office 2013 Click-To-Run and updates Outlook to version 15.0.5153.1000.


      Outlook 2010 Security Update for July 2019

      News

      A Security Update has been released for Outlook 2010. It resolves the following vulnerability;

      • CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability (All)
        An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.

      View: Download information for KB4475509

      Note: This update can be installed via Microsoft Update and updates Outlook to version 14.0.7235.5000.


      Exchange 2019, 2016, 2013 and 2010 Security Updates for July 2019

      News

      Security updates have been released for Exchange 2010, Exchange 2013, Exchange 2016 and Exchange 2019.

      • CVE-2019-1084: Microsoft Exchange Information Disclosure Vulnerability (All)
        An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.
      • CVE-2019-1136: Microsoft Exchange Server Elevation of Privilege Vulnerability (Exchange 2010/2013/2016)
        An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could gain the same rights as any other user of the Exchange server. This could allow the attacker to perform activities such as accessing the mailboxes of other users. Exploitation of this vulnerability requires Exchange Web Services (EWS) to be enabled and in use in an affected environment. To exploit the vulnerability, an attacker would need to execute a man-in-the-middle attack to forward an authentication request to a Microsoft Exchange Server, thereby allowing impersonation of another Exchange user. To address this vulnerability, Microsoft has changed the way EWS handles NTLM tokens.
      • CVE-2019-1137: Microsoft Exchange Server Spoofing Vulnerability (Exchange 2013/2016/2019)
        A cross-site-scripting (XSS) vulnerability exists when Microsoft Exchange Server does not properly sanitize a specially crafted web request to an affected Exchange server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected server. The attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run script in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the Exchange server on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user. The security update addresses the vulnerability by helping to ensure that Exchange Server properly sanitizes web requests.

      View: Description of the security update for Microsoft Exchange Server 2010: July 9, 2019
      View: Description of the security update for Microsoft Exchange Server 2013 and 2016: July 9, 2019
      View: Description of the security update for Microsoft Exchange Server 2019: July 9, 2019
      Download: Update Rollup 29 For Exchange 2010 SP3 (KB4509410)
      Download: Security Update For Exchange Server 2013 CU23 (KB4509409)
      Download: Security Update For Exchange Server 2016 CU12 (KB4509409)
      Download: Security Update For Exchange Server 2016 CU13 (KB4509409)
      Download: Security Update For Exchange Server 2019 CU1 (KB4509408)
      Download: Security Update For Exchange Server 2019 CU2 (KB4509408)