Exposure of sensitive information to an unauthorized actor in Microsoft Office Outlook allows an unauthorized attacker to perform spoofing over a network.
There are multiple update packages available for some of the affected software. Do I need to install all the updates listed in the Security Updates table for the software? Yes. Customers should apply all updates offered for the software installed on their systems. If multiple updates apply, they can be installed in any order. Is the Preview Pane an attack vector for this vulnerability? Yes, the Preview Pane is an attack vector. How could an attacker exploit this vulnerability? An attacker could exploit this spoofing vulnerability by using a specially crafted email to trigger an outbound NTLM authentication attempt to an attacker‑controlled server, resulting in credential disclosure. Why isn’t there a security update for Outlook if Outlook is impacted? Microsoft Outlook may be involved in certain attack scenarios; however, the security update applies to Microsoft Word, which addresses the vulnerability. Installing the latest security update for Microsoft Word fully mitigates the vulnerability, including scenarios in which Outlook is used. There is no separate update required for Microsoft Outlook.
<a href="https://erpaciocco.github.io/">ErPaciocco</a>