Michael Gorelik

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Outlook (affected versions not specified) **Description** The issue is related to improper input validation in Microsoft Office Outlook, allowing an authorized attacker to execute code locally. This can also enable remote attackers to execute arbitrary code and affect the system. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Office Outlook (affected versions not specified) **Description** A critical issue in Microsoft Office Outlook allows an authorized attacker to execute code locally. This is due to a path traversal problem. The issue can be exploited by attackers using social engineering to gain low-privilege access. There are reports of this issue being actively exploited. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Microsoft Outlook versions 2016 Microsoft Office versions 2019 through 2024 **Description** The issue allows remote attackers to execute arbitrary code and affect the system. It is reported that this issue has been patched by Microsoft with the aid of external researchers. **Recommendations** For Microsoft Outlook version 2016, apply the patch provided by Microsoft. For Microsoft Office versions 2019 through 2024, apply the patch provided by Microsoft. As a temporary workaround, consider restricting access to potentially vulnerable components until a patch is applied.

Name of the Vulnerable Software and Affected Versions: Microsoft Office (affected versions not specified) Microsoft 365 Apps for Enterprise (affected versions not specified) Description: The issue is related to insufficient protection of service data in Microsoft Office and Microsoft 365 Apps for Enterprise, allowing a remote attacker to conduct spoofing attacks. This can affect the system. Recommendations: For Microsoft Office, consider restricting access to sensitive features until a patch is available. For Microsoft 365 Apps for Enterprise, avoid using potentially vulnerable components until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Outlook (affected versions not specified) Description: The issue is related to incorrect external control of a file name or path in Microsoft Outlook for Windows operating systems. Exploitation of this issue may allow an attacker to execute arbitrary code. It is described as a Form Injection Remote Code Execution (RCE) vulnerability. Researchers from Morphisec Threat Labs have identified this vulnerability, which is a zero-click vulnerability leveraging form injections. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Microsoft Outlook versions prior to the fixed version Description: A critical zero-click remote code execution vulnerability has been discovered in Microsoft Outlook. This vulnerability allows attackers to execute arbitrary code by sending a specially crafted email. The issue is related to the use of an incomplete blacklist when processing input data, which can be exploited by creating specially formed DLL files. The vulnerability can be triggered without any user interaction, simply by opening a malicious email. Recommendations: For Microsoft Outlook versions prior to the fixed version, update to the latest version to resolve the issue. As a temporary workaround, consider disabling the auto-open email feature to minimize the risk of exploitation. Restrict access to vulnerable modules to minimize the risk of exploitation. Avoid using vulnerable parameters in affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.