A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of a Microsoft 365 subscription.
It contains 8 security updates for Excel (1), Outlook (1), Project (1), Word (4) and Office (1). The Details about the Outlook vulnerability;
- CVE-2020-1349: Microsoft Outlook Remote Code Execution Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could use a specially crafted file to perform actions in the security context of the current user. For example, the file could then take actions on behalf of the logged-on user with the same permissions as the current user.
To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
Note that the Preview Pane is an attack vector for this vulnerability.
The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory.
In addition, it contains 1 documented non-security fixes for Outlook Current, 1 feature and 10 fixes for Monthly Enterprise 2005, 12 for Semi-Annual (Preview) 2002 and 44 for Semi-Annual 1908. Most notable fixes are;
- Version 2006 and 2002
Addressed an issue that caused users to be unable to save OneDrive attachments from outside their tenant to their local computer when selecting the “Save” option on the security dialog. - Version 2005 – Better results—in a jiffy
We’ve updated the Search experience to make it smarter, faster, and more reliable than ever. - Version 2005
Addresses an issue that caused users to see Outlook continuously prompt them to run the Inbox Repair tool. - Version 2005, 2002 and 1908
Addresses an issue that caused users to see the “The rules on this computer do not match the rules on Microsoft Exchange” message when updating their rules in Outlook. - Version 2002
Addressed an issue that caused recurring appointments or meetings to be displayed at the wrong time when approaching a timezone definition change. - Version 2002
Addressed an issue that caused delegates to receive an error when editing an existing calendar appointment on a manager’s calendar. - Version 1908
This updates the attachment blocking logic in Outlook to also block python attachments. - Version 1908
Addresses an issue that caused Outlook users to get stuck in the “Needs Password” state in certain scenarios.
Version 2002 has now also been released to the Semi-Annual Enterprise Channel and contains 12 highlighted new feature and 61 fixes which have been made available already to the other release channels.
Based on your release channel, you’ll be updated to the following version;
- Office 365, Outlook 2016 Retail, Outlook 2019 Retail
Version 2006 (Build 13001.20384) - Office 365 Monthly Enterprise
Version 2005 (Build 12827.20538)
Version 2004 (Build 12730.20602) - Office 365 Semi-Annual Enterprise (Preview)
Version 2002 (Build 12527.20880) - Office 365 Semi-Annual Enterprise
Version 2002 (Build 12527.20880)
Version 1908 (Build 11929.20904)
Version 1902 (Build 11328.20624) - Outlook 2019 Volume License
Version 1808 (Build 10363.20015)
Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installation of Office 2016.