Microsoft Outlook CVE-2017-11774
HIGHCVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
Microsoft Outlook 2010 SP2, Outlook 2013 SP1 and RT SP1, and Outlook 2016 allow an attacker to execute arbitrary commands, due to how Microsoft Office handles objects in memory, aka "Microsoft Outlook Security Feature Bypass Vulnerability."
AnalysisAI
Remote attackers can execute arbitrary code on Microsoft Outlook 2010-2016 systems by delivering a malicious file that triggers a buffer overflow when the user opens it. This vulnerability is confirmed actively exploited (CISA KEV) with publicly available exploit code, achieving an EPSS score of 84.64% (99th percentile) indicating very high real-world exploitation probability. The attack leverages Outlook's Home Page feature to bypass security controls and achieve code execution with the privileges of the logged-in user, affecting all Outlook versions from 2010 SP2 through 2016 prior to October 2017 patches.
Technical ContextAI
This vulnerability exploits a buffer overflow (CWE-119) in how Microsoft Outlook handles objects in memory when processing specially crafted content. The underlying issue relates to insufficient bounds checking when Outlook parses Home Page configuration data. The CPE strings identify affected products as Microsoft Outlook 2010 SP2, Outlook 2013 SP1 (both standard and RT editions), and Outlook 2016. According to the SensePost disclosure, attackers leverage the Outlook Home Page feature - a folder-level configuration that renders HTML content - to inject malicious code. When combined with tools like Ruler (a framework for abusing Exchange features), attackers can remotely set a malicious Home Page URL that triggers the buffer overflow upon folder access. The CVSS vector (AV:L) may be misleading as actual exploitation occurs through email delivery followed by local execution, though the final privilege escalation occurs locally.
RemediationAI
Apply Microsoft's October 2017 security updates immediately via Windows Update or download patches directly from the Microsoft Security Response Center advisory at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11774, which provides specific update KB numbers for each affected Outlook version. Until patching is complete, organizations should implement compensating controls: disable the Outlook Home Page feature via Group Policy (registry key HKCU\Software\Microsoft\Office\<version>\Outlook\WebView\Inbox, set 'Disabled' to 1), though this may break legitimate folder customizations users have configured. For Exchange administrators, restrict external access to Exchange Web Services (EWS) and block tools like Ruler at the network perimeter, as these are commonly used delivery mechanisms for Home Page attacks. Deploy email gateway filtering to block HTML attachments with suspicious Home Page declarations. Note that disabling Home Page functionality provides strong mitigation but may impact users who rely on custom folder views for workflow automation.
More from same product – last 7 days
{filename} endpoint. The flawed traversal guard only rejects forward slashes and '..' sequences, so absolute Windows pat
Remote code execution in Microsoft Azure Orbital Spatio allows unauthenticated network attackers to upload dangerous fil
Unsafe deserialization in Microsoft Planetary Computer Pro (Geocatalog) lets a remote unauthenticated attacker craft mal
Remote code execution in Microsoft Power Pages allows unauthenticated network attackers to inject and execute operating-
Privilege elevation in Microsoft Azure Resource Manager (ARM) allows remote unauthenticated attackers to bypass authenti
Share
External POC / Exploit Code
Leaving vuln.today