0patch fixes Memory Corruption vulnerability (CVE-2022-35742) in Microsoft Outlook 2010

[German]The vulnerability CVE-2022-35742 in Outlook was closed by Microsoft in August 2022 by means of security updates (see Patchday: Microsoft Office Updates (August 9, 2022)). However, Microsoft only provides updates for the MSI versions of Outlook 2013 and 2016. ACROS Security has now released a micropatch that closes the vulnerability in Microsoft Outlook 2010.


Advertising

The vulnerability, fixed in Microsoft Outlook August 2022, was discovered by security researcher insu from 78ResearchLab, as Mitja Kolsek writes here. The vulnerability exploits an error in Outlook's processing of multiple Content-Type headers in a multipart/signed email. A malicious email could cause an unallocated memory address to be shared and Outlook to crash while such an email is being downloaded (even before it is displayed to the user).

It is enough to click on the mail in the user's inbox or view its contents in the preview window. Microsoft classifies this as a "denial of service" vulnerability. According to Kolsek, however, it is not impossible that the vulnerability can be exploited to execute arbitrary code.

0patch Outlook micropatch

While Microsoft Office 2013 and 2019 have still received updates and the Click2-Run variants have also been updated, Microsoft Office 2010 and thus Outlook 2010 has fallen out of support. According to the above tweet, ACROS Security is already providing a micropatch that closes the vulnerability in Microsoft Outlook 2010.

The micropatch is available for both 32-bit and 64-bit versions of Outlook 2010, but requires Outlook to be at the April 2021 update level. This micropatch has already been distributed to all online 0patch agents with a PRO or Enterprise license, as Mitja Kolsek writes here. Notes on how the 0patch agent works, which loads the micropatches into memory at an application's runtime, can be found in blog posts (such as here).


Advertising

 

an alle Online-0patch-Agenten mit einer PRO- oder Enterprise-Lizenz verteilt, wie Mitja Kolsek hier schreibt. Hinweise zur Funktionsweise des 0patch-Agenten, der die Micropatches zur Laufzeit einer Anwendung in den Speicher lädt, finden Sie in den Blog-Posts (wie z.B. hier).

Similar articles:
0patch: Fix for Internet Explorer 0-day vulnerability CVE-2020-0674
0patch: Fix for Windows Installer flaw CVE-2020-0683
0patch fix for Windows GDI+ vulnerability CVE-2020-0881
0-day vulnerability in Windows Adobe Type Library
0patch fixes CVE-2020-0687 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1048 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1015 in Windows 7/Server 2008 R2
0patch for 0-day RCE vulnerability in Zoom for Windows
Windows Server 2008 R2: 0patch fixes SIGRed vulnerability
0patch fixes CVE-2020-1113 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1337 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1530 in Windows 7/Server 2008 R2
0patch fixes Zerologon (CVE-2020-1472) vulnerability in Windows Server 2008 R2
0patch fixes CVE-2020-1062 in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1300 in Windows 7/Server 2008 R2
0patch fixes 0-day vulnerability in Windows 7/Server 2008 R2
0patch fixes CVE-2020-1013 in Windows 7/Server 2008 R2
0patch fixes a Local Privilege Escalation 0-day in Sysinternals PsExec
0patch fixes Windows Installer 0-day Local Privilege Escalation vulnerability
0patch fixes 0-day in Internet Explorer
0patch fixes CVE-2021-26877 in the DNS server of Windows Server 2008 R2
0patch fixes Windows Installer LPE-Bug (CVE-2021-26415)
0Patch provides support for Windows 10 version 1809 after EOL
Windows 10 V180x: 0Patch fixes IE vulnerability CVE-2021-31959
0Patch Micropatches for PrintNightmare Vulnerability (CVE-2021-34527)
0patch fix for new Windows PrintNightmare 0-day vulnerability (Aug. 5, 2021)
0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 6, 2021)
2nd 0patch fix for Windows PetitPotam 0-day vulnerability (Aug. 19, 2021)
Windows 10: 0patch fix for MSHTML vulnerability (CVE-2021-40444)
0patch fixes LPE Vulnerability (CVE-2021-34484) in Windows User Profile Service
0patch fixes LPE vulnerability (CVE-2021-24084) in Mobile Device Management Service
0patch fixes InstallerTakeOver LPE 0-day vulnerability in Windows
0patch fixes ms-officecmd RCE vulnerability in Windows
0patch fixes RemotePotato0 vulnerability in Windows
0patch fixes again vulnerability CVE-2021-34484 in Windows 10/Server 2019
0Patch fixes vulnerabilities (CVE-2022-26809 and CVE-2022-22019) in Windows
Windows MSDT 0-day vulnerability "DogWalk" receives 0patch fix
0patch fixes all known and exploitable Windows NTLM/Kerberos vulnerabilities


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in Office, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *