Endpoint Vulnerability

Microsoft Exchange Information Disclosure Vulnerability


An information disclosure vulnerability exists when Exchange allows creation of entities with Display Names having non-printable characters. An authenticated attacker could exploit this vulnerability by creating entities with invalid display names, which, when added to conversations, remain invisible. This security update addresses the issue by validating display names upon creation in Microsoft Exchange, and by rendering invalid display names correctly in Microsoft Outlook clients.

Affected Products

Microsoft Outlook 2013 Service Pack 1 (64-bit editions),Microsoft Office 2016 x86,Microsoft Office 2016 x64,Microsoft Office 2013 RT Service Pack 1,Microsoft Office 2019 for 64-bit editions,Microsoft Outlook 2016 x86,Skype for Business 2016 Basic (64-bit),Microsoft Outlook 2016 x64,Microsoft Lync 2013 Service Pack 1 (32-bit),Microsoft Exchange Server 2016 Cumulative Update 13