Security Updates for Outlook (July 2017)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

An application installed on the remote Windows host is affected by
multiple vulnerabilities.

Description :

The Microsoft Office or Outlook application installed on the remote
Windows host is missing a security update. It is, therefore, affected
by multiple vulnerabilities :

- A security feature bypass vulnerability exists in
Microsoft Office due to improper handling of
user-supplied input. An unauthenticated, remote attacker
can exploit this, by convincing a user to open and
interact with a specially crafted document file, to
bypass security measures and execute arbitrary commands.
(CVE-2017-8571)

- An information disclosure vulnerability exists in
Microsoft Office due to improper handling of objects in
memory. An unauthenticated, remote attacker can exploit
this, by convincing a user to open a specially crafted
document file, to disclose the contents of memory.
(CVE-2017-8572)

- A remote code execution vulnerability exists in
Microsoft Outlook due to improper parsing of email
messages. An unauthenticated, remote attacker can
exploit this, with a specially crafted email message
with a malicious attachment, to execute arbitrary code
in the context of the current user. (CVE-2017-8663)

See also :

https://portal.msrc.microsoft.com/en-us/security-guidance/summary
http://www.nessus.org/u?0a682ddf

Solution :

Microsoft has released a set of patches for Outlook 2007, 2010, 2013,
and 2016.

Risk factor :

High / CVSS Base Score : 9.3
(CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.9
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Windows : Microsoft Bulletins

Nessus Plugin ID: 102035 ()

Bugtraq ID: 99452
99453
100004

CVE ID: CVE-2017-8571
CVE-2017-8572
CVE-2017-8663

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now