A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of an Office 365 subscription.
It contains 6 security updates for Outlook (3), Word (2) and Office (1). Details about the Outlook vulnerabilities;
- CVE-2019-1199: Microsoft Outlook Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is an attack vector for this vulnerability - CVE-2019-1200: Microsoft Outlook Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. Note that the Preview Pane is not an attack vector for this vulnerability. - CVE-2019-1204: Microsoft Outlook Elevation of Privilege Vulnerability
An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages. An attacker who successfully exploited the vulnerability could attempt to force Outlook to load a local or remote message store (over SMB). To exploit the vulnerability, the attacker could send a specially crafted email to a victim. Outlook would then attempt to open a pre-configured message store contained in the email upon receipt of the email.
Based on your release channel, you’ll be updated to the following version;
- Office 365, Outlook 2016 Retail, Outlook 2019 Retail
Version 1907 (Build 11901.20218) - Outlook 2019 Volume License
Version 1808 (Build 10349.20017) - Office 365 Semi Annual Channel
Version 1902 (Build 11328.20392)
Version 1808 (Build 10730.20370)
Version 1803 (Build 9126.2432)
Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.