A new rollup update has been made available for all Click-to-Run installations of Outlook 2016, Outlook 2019 and Outlook as part of a Microsoft 365 subscription.
It contains 13 security updates for Access (1), Excel (5), Outlook (2), Word (3) and Office (2). The Details about the Outlook vulnerability;
- CVE-2020-1483: Microsoft Outlook Memory Corruption Vulnerability
A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
To exploit the vulnerability, a user must open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
Note that the Preview Pane is an attack vector for this vulnerability.
The security update addresses the vulnerability by correcting how Microsoft Outlook handles files in memory. - CVE-2020-1493: Microsoft Outlook Information Disclosure Vulnerability
An information disclosure vulnerability exists when attaching files to Outlook messages. This vulnerability could potentially allow users to share attached files such that they are accessible by anonymous users where they should be restricted to specific users.
To exploit this vulnerability, an attacker would have to attach a file as a link to an email. The email could then be shared with individuals that should not have access to the files, ignoring the default organizational setting.
The security update addresses the vulnerability by correcting how Outlook handles file attachment links.
In addition, it contains 2 documented non-security fixes for Outlook Current, 4 features and 7 fixes for Monthly Enterprise 2005, 1 for Semi-Annual 2002. Most notable fixes are;
- Version 2007
Addressed an issue that caused Outlook to fail to retrieve search suggestions. - Version 2007
Addressed an issue that caused users to occasionally crash when retrieving persona information. - Version 2006 – New option to disable @ mention suggestions when composing mail in Outlook
Do you find the @ mention picker more annoying than useful? Now you can turn it off if you prefer.
File-> Options-> Mail-> section: Send Messages-> Suggest names to mention when I use the @ symbol in a message. - Version 2006 – Keep your pictures high fidelity when sending them as part of an email
A new Outlook setting is available to limit picture compression when you send pictures as part of the email contents.
File-> Options-> Mail-> Editor Options…-> Advanced-> enable: Do not compress images in file - Version 2006
Addresses an issue that caused users to see the creation date of attachments that they copied to their file system via drag and drop getting set to January 1, 4501. - Version 2002
Addressed an issue that caused a significant performance issue when starting Outlook for some tenants.
Based on your release channel, you’ll be updated to the following version;
- Microsoft 365, Outlook 2016 Retail, Outlook 2019 Retail
Version 2007 (Build 13029.20344) - Monthly Enterprise
Version 2006 (Build 13001.20520)
Version 2005 (Build 12827.20656) - Semi-Annual Enterprise (Preview)
Version 2002 (Build 12527.20988) - Semi-Annual Enterprise
Version 2002 (Build 12527.20988)
Version 1908 (Build 11929.20934)
Version 1902 (Build 11328.20644) - Outlook 2019 Volume License
Version 1808 (Build 10364.20059)
Note: Depending on your installation type, this update can be installed via the Update Now button in Outlook itself or the Microsoft Store. This update does not apply to msi-based installations of Office 2016.