CVE-2020-16947 Overview
A remote code execution vulnerability exists in Microsoft Outlook software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the targeted user. If the targeted user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft Outlook software. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. Critically, where severity is indicated as Critical in the Affected Products table, the Preview Pane is an attack vector, meaning users could be compromised simply by previewing a malicious email without explicitly opening it.
Critical Impact
This vulnerability allows remote attackers to execute arbitrary code in the context of the current user. When the Preview Pane is enabled, exploitation can occur without user interaction beyond viewing the email, making this particularly dangerous for enterprise environments.
Affected Products
- Microsoft 365 Apps for Enterprise
- Microsoft Office 2019
- Microsoft Outlook 2016
Discovery Timeline
- 2020-10-16 - CVE-2020-16947 published to NVD
- 2026-02-23 - Last updated in NVD database
Technical Details for CVE-2020-16947
Vulnerability Analysis
This vulnerability stems from improper memory handling in Microsoft Outlook when processing specially crafted content. The flaw is classified as CWE-125 (Out-of-Bounds Read), indicating that Outlook fails to properly validate memory boundaries when parsing certain objects, leading to memory corruption that can be leveraged for code execution.
The attack can be delivered through multiple vectors. In an email-based attack, an attacker sends a malicious file to the victim and convinces them to open it. In a web-based scenario, an attacker hosts a crafted file on a website and entices users to download and open it. The most concerning aspect is that when the Preview Pane is enabled in Outlook, simply viewing a malicious email can trigger the vulnerability without requiring the user to explicitly open any attachments.
Users whose accounts are configured with limited user rights are less impacted than those operating with administrative privileges, as successful exploitation grants the attacker the same permissions as the targeted user.
Root Cause
The root cause of CVE-2020-16947 is an out-of-bounds read condition (CWE-125) that occurs when Microsoft Outlook processes objects in memory. The application fails to properly validate memory boundaries when handling certain objects, allowing an attacker to craft malicious content that corrupts memory and enables arbitrary code execution. The security update addresses the vulnerability by correcting how Outlook handles objects in memory.
Attack Vector
The vulnerability is exploited through network-based attacks requiring user interaction. There are two primary attack scenarios:
Email Attack Scenario: The attacker sends a specially crafted file to the target user via email. The attacker must convince the user to open the file, or if the Preview Pane is enabled, simply viewing the email can trigger exploitation.
Web-Based Attack Scenario: The attacker hosts a malicious file on a website or leverages a compromised site that accepts user-provided content. The attacker must then convince users to visit the website and open the specially crafted file. This typically involves social engineering through email or instant message enticements.
The vulnerability has been documented by the Zero Day Initiative in advisories ZDI-20-1249 and ZDI-20-1250, and technical details are available in the Packet Storm RCE File.
Detection Methods for CVE-2020-16947
Indicators of Compromise
- Unusual Outlook process behavior including unexpected child process spawning
- Outlook.exe making suspicious network connections to unknown external hosts
- Crash dumps or memory access violations in Outlook related to object handling
- Suspicious email attachments or HTML content designed to trigger memory corruption
Detection Strategies
- Monitor for anomalous process creation events from OUTLOOK.EXE, particularly spawning of command interpreters (cmd.exe, powershell.exe)
- Implement email gateway scanning for malformed or suspicious attachments targeting Outlook
- Deploy endpoint detection rules to identify out-of-bounds memory access patterns in Office applications
- Enable Windows Defender Application Guard for Office to isolate potentially malicious documents
Monitoring Recommendations
- Enable enhanced logging for Microsoft Office applications including Outlook crash events
- Monitor Security Event Logs for process creation events with Outlook as the parent process
- Implement network traffic analysis for unusual outbound connections from Outlook processes
- Review email logs for suspicious patterns indicating targeted phishing attempts
How to Mitigate CVE-2020-16947
Immediate Actions Required
- Apply Microsoft security updates immediately for all affected Outlook and Office installations
- Disable the Preview Pane in Microsoft Outlook to reduce the attack surface until patches are applied
- Configure user accounts with least-privilege principles to limit the impact of potential exploitation
- Implement email filtering to block suspicious attachments and enforce strict content policies
Patch Information
Microsoft has released security updates to address this vulnerability. The patch corrects how Outlook handles objects in memory. Organizations should apply the updates available through the Microsoft Security Advisory CVE-2020-16947.
Affected products requiring updates include:
- Microsoft 365 Apps for Enterprise
- Microsoft Office 2019
- Microsoft Outlook 2016
Updates can be deployed through Windows Update, Microsoft Update Catalog, or enterprise deployment tools such as WSUS and Microsoft Endpoint Configuration Manager.
Workarounds
- Disable the Reading/Preview Pane in Outlook to prevent automatic rendering of malicious content
- Configure email clients to display emails as plain text only until patches are applied
- Restrict execution of macros and active content in Office applications
- Educate users about the risks of opening unexpected email attachments from unknown senders
# Disable Outlook Preview Pane via Registry (Windows)
reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Preferences" /v PreviewPane /t REG_DWORD /d 0 /f
# Verify current patch level of Office installations
wmic product where "name like '%Office%'" get name,version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
