A vulnerability in the way the Microsoft Outlook email application handles attachment previews could allow an attacker to execute malicious code without interacting with the user.
The vulnerability lies in the method used by Windows Object Linking and Embedding (OLE) automation function and how it handles Rich Text Files (.RTF). Emails sent in RTF format and previewed in Outlook will have their content fetched automatically by OLE, meaning any malicious attachments would be executed without the user opening them.
CVE-2018-0950 in Microsoft Outlook was found by Will Dormann.
Microsoft Outlook – All versions
Microsoft has released an update for Microsoft Outlook to fix this vulnerability. The update can be downloaded from the Security TechCenter for CVE-2018-0950. Please note depending on the Outlook version, different packages are provided.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.