During the heat of Black Hat last week, Microsoft pushed out patches for Outlook that address three newly reported vulnerabilities. Last week’s update also included fixes for six of eight vulnerabilities left unpatched after issues were reported with the June Patch Tuesday update.
The most serious of the new vulnerabilities, CVE-2017-8663, is a remote code execution bug exploited via a specially crafted file sent through Outlook, Microsoft said.
“The security update addresses the vulnerability by correcting the way that Microsoft Outlook parses specially crafted email messages,” Microsoft said in its advisory.
All three patches are for vulnerabilities in Click-to-Run, Microsoft’s streaming and virtualization technology used during the installation of Microsoft Office products.
“The streaming technology enables you to download and begin to use an Office product before the whole product is installed on your computer. The virtualization technology provides an isolated environment for Office to run on your computer,” Microsoft said in describing Click-to-Run. “This isolated environment allows you to run the latest version of Office side-by-side with an earlier version of Office that is already installed on your computer.”
Office 2010, 2013 and 2016 Click-to-Run are affected, as well as Outlook 2007, 2010, 2013 and 2016.
Microsoft also patched an information disclosure flaw in Office, CVE-2017-8572, that causes the program to disclose memory. An attacker could exploit the bug using a crafted Office document, and could use the attack to steal data from the compromised machine.
All supported versions of Office and Outlook are affected, Microsoft said.
The final Click-to-Run bug, CVE-2017-8571, is a security feature bypass in all supported versions of Outlook at Office.
“An attacker who successfully exploited the vulnerability could execute arbitrary commands,” Microsoft said in its advisory. “In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince a user to open the document file and interact with the document by clicking a specific cell.”
None of the vulnerabilities have been publicly disclosed, nor attacked.
Meanwhile, six of the eight June updates that were pulled back have been patched. The two outstanding issues affect Outlook; one issue is that iCloud fails to load properly in Outlook, while the other occurs because some web-based Outlook add-ins fail to load in scenarios when organizations have an on-premise Exchange 2013 deployment.
Windows admins reported that the June Outlook update, KB3015545, was causing crashes when opening emails with attachments. Microsoft removed the update, leaving users exposed for more than a month.