If you are one of the more than billion users of Microsoft Office, you’re most certainly familiar with Outlook. Microsoft Outlook is the default email, calendar and contacts application typically bundled with Office installations. Check your Windows computer now – if you have Office, chances are, it’s already installed.
If you do have Outlook, please be aware that Microsoft quietly patched the program recently for two security vulnerabilities, which can allow an attacker to take control of your computer.
Microsoft usually bundles its software security patches together on the second Tuesday of each month (Patch or Update Tuesdays) but these patches were deemed critical enough to be pushed out early.
Microsoft Outlook security flaws
The first security flaw is a memory corruption exploit (CVE-2017-8663) that could allow an attacker to execute code and take over a computer via a poisoned email.
The memory corruption flaw requires a user to open a specially crafted file with an affected version of Microsoft Outlook. It could be exploited in an email attack scenario by sending a specially crafted file to the user and then convincing the user to open the file.
“The security update addresses the vulnerability by correcting the way that Microsoft Outlook parses specially crafted email messages,” Microsoft wrote in the security advisory.
The second security issue is an information disclosure flaw (CVE-2017-8572) that can be exploited by an attacker to steal data from a computer with a specially crafted Office file.
“To exploit the vulnerability, an attacker could craft a special document file and then convince the user to open it. An attacker must know the memory address location where the object was created,” Microsoft warned.
All supported versions of Office and Outlook are affected, including Outlook 2007, 2010, 2013 and 2016.
Thankfully, Microsoft said that both flaws have not been publicly exploited nor are there any reported attacks using the bugs but it is recommended that Office users update their installations as soon as possible.