Security Experts:

Connect with us

Hi, what are you looking for?


Email Security

Microsoft Patches Several Outlook Vulnerabilities

Microsoft has released patches for several important vulnerabilities affecting Outlook, the professional email and calendar application included in the Office suite.

Microsoft has released patches for several important vulnerabilities affecting Outlook, the professional email and calendar application included in the Office suite.

The tech giant pointed out that none of the flaws have been disclosed and none of them have been exploited in attacks. The security holes are related to Click-to-Run (C2R), a streaming and virtualization technology used to install Office products.

One of the vulnerabilities, discovered by the Microsoft Office Security Team and tracked as CVE-2017-8663, is a memory corruption that can be leveraged for remote code execution. The weakness can be exploited by getting an Outlook user to open a specially crafted file sent to them via email.

“An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in its advisory.

Another vulnerability that can lead to arbitrary code execution is CVE-2017-8571, a security feature bypass issue that exists due to the way Outlook handles input. An attacker can exploit the flaw by tricking the targeted user into opening and interacting with a specially crafted document. Nicolas Joly of MSRCE UK reported the problem to Microsoft.

The third security hole, CVE-2017-8572, is an information disclosure bug that exists because Office improperly discloses memory content. An attacker who knows the memory address of the targeted object needs to trick the target into opening a specially crafted file in order to obtain information that can be useful for accessing the victim’s computer and data. Aaron Grattafiori of Facebook and Soroush Dalili from NCC Group were credited for finding the flaw.

Microsoft said the patches also address several known issues in the June 2017 security updates. The company was forced to pull its June Outlook update after users reported that it had been causing the application to crash.

Of the total of eight issues identified, six have been fixed and two are still under investigation, Microsoft said.

Related: Microsoft Patches Zero-Days Exploited by Russia-Linked Hackers

Related: Microsoft Patches Over 50 Vulnerabilities

Related: Microsoft Issues Emergency Patch in Response to Massive Ransomware Outbreak

Related: Microsoft Patches LDAP Relay Vulnerability in NTLM

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.