Input validation error in Microsoft Outlook and Microsoft Office

#VU20267 Input validation error in Microsoft Outlook and Microsoft Office

Published: 2019-08-14

Vulnerability identifier: #VU20267

Vulnerability risk: Medium

CVSSv3.1: 5.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-1204

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Microsoft Outlook
Client/Desktop applications / Office applications
Microsoft Office
Client/Desktop applications / Office applications

Vendor: Microsoft

Description

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to insufficient validation of incoming email messages. A remote attacker can create a specially crafted email message and attempt to force Outlook to load a local or remote message store (over SMB).

Mitigation
Install update from vendor's website.

Vulnerable software versions

Microsoft Outlook:

Microsoft Office: 2019, 365 ProPlus

External links
http://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1204

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Microsoft Outlook