Microsoft has issued security updates for various critical vulnerabilities affecting Office Outlook, the professional email and calendar application included in the Office suite.
A memory corruption vulnerability (CVE-2017-8663) has been identified by the Microsoft Office Security Team that can be leveraged for remote code execution. The flaw can be exploited by making an Outlook user to open a specially crafted file given to them via email.
According to Microsoft:
“A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted email messages. An attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
Another Security Feature Bypass vulnerability (CVE-2017-8571) exists due to the way Outlook works. The attacker can exploit this vulnerability by fooling the victim into opening and interacting with a specially crafted document.
“A security feature bypass vulnerability exists when Microsoft Office Outlook improperly handles input. An attacker who successfully exploited the vulnerability could execute arbitrary commands. In a file-sharing attack scenario, an attacker could provide a specially crafted document file designed to exploit the vulnerability, and then convince a user to open the document file and interact with the document by clicking a specific cell.”
The third vulnerability (CVE-2017-8572) is an information disclosure flaw that exists because Office improperly discloses memory content. An attacker can exploit the vulnerability and use the information to compromise the victim’s computer or data by tricking the victim into opening a specially crafted file in order to obtain information that can be useful for the hack.
An attacker must know the memory address location where the object was created.
Microsoft said:
“Of the total of eight issues identified, six have been fixed and two are still under investigation”