Описание
Microsoft Outlook Information Disclosure Vulnerability
An information disclosure vulnerability exists when Microsoft Outlook fails to properly validate authentication requests.
To exploit the vulnerability an attacker would have to trick a user into browsing to a malicious website or to an SMB or UNC path destination. Alternatively the attacker could convince a user to load a malicious document that initiates an NTLM validation request without the consent of the user. An attacker who successfully tricked a user into disclosing the user's NTLM hash could attempt a brute-force attack to disclose the corresponding hash password.
The security update addresses the vulnerability by correcting how Outlook validates authentication requests.
FAQ
In addition to addressing the vulnerability described in this CVE, do the security updates for Microsoft Outlook address any other issues? Yes. In addition to addressing the vulnerability described in this CVE, the security updates address known issues 1 through 4 described in the Office Support Article Outlook known issues in the June 2017 security updates. Microsoft is currently investigating issues 6 and 7, and will provide an update to Outlook as soon as possible.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Outlook 2007 Service Pack 3 | ||
| Microsoft Outlook 2013 RT Service Pack 1 | - | |
| Microsoft Outlook 2010 Service Pack 2 (32-bit editions) | ||
| Microsoft Outlook 2010 Service Pack 2 (64-bit editions) | ||
| Microsoft Outlook 2016 (32-bit edition) | ||
| Microsoft Outlook 2016 (64-bit edition) | ||
| Microsoft Outlook 2013 Service Pack 1 (32-bit editions) | ||
| Microsoft Outlook 2013 Service Pack 1 (64-bit editions) | ||
| Microsoft Office 2016 Click-to-Run (C2R) for 32-bit editions | - | |
| Microsoft Office 2016 Click-to-Run (C2R) for 64-bit editions | - |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
Older Software Release
EPSS
Связанные уязвимости
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, and Outlook 2016 as packaged in Microsoft Office allows an information disclosure vulnerability due to the way that it discloses the contents of its memory, aka "Microsoft Office Outlook Information Disclosure Vulnerability".
Microsoft Outlook 2007 SP3, Outlook 2010 SP2, Outlook 2013 SP1, Outlook 2013 RT SP1, and Outlook 2016 as packaged in Microsoft Office allows an information disclosure vulnerability due to the way that it discloses the contents of its memory, aka "Microsoft Office Outlook Information Disclosure Vulnerability".
EPSS