Read more: Microsoft fixes critical Outlook bug exploitable via preview paneMicrosoft has released the October 2020 Office security updates with a total of 24 security updates and 5 cumulative updates for 7 different products, fixing 13 vulnerabilities that could enable remote attackers to execute arbitrary code on vulnerable systems.
The highlight of this month's Microsoft Office security updates is without a doubt CVE-2020-16947, a remote code execution vulnerability that leads to remote code execution when previewing or opening maliciously crafted emails with a vulnerable Microsoft Outlook version.
Exploitation can also be achieved in a web-based attack scenario via sites used to host specially crafted files designed to exploit CVE-2020-16947.
When successfully exploited, the bug allows attackers to run arbitrary code in the context of the System user. The attackers could also take over the targeted system if the currently logged on user has administrative user rights.
CVE-2020-16947 affects several Office products including Microsoft Outlook 2016 and Microsoft Office 2019, as well as Microsoft 365 Apps for Enterprise.