There are two newly discovered (and patched) in Outlook. The first is a remote code exploit and unlike many remote code vulnerabilities, which require the user to do something, like go to a web site or open a file, th RTF/TNEF security issue runs when a targeted person opens a message. The exploit is packed in an winmail.dat file and when Outlook renders the winmail.dat, the code runs. The second exploit uses OLE objects embedded in messages which are attached to other email messages.
If you haven't already installed the Security Update for Microsoft Office to Address Remote Code Execution (3116111), which was released on December 8 2015, you should do so as soon as possible. If you are unable to install the update, read mail in plain text or use a macro to convert RTF messages to plain text as they arrive.
It's also possible to set a registry key to prevent Outlook from loading Flash content.
DWORD: Compatibility Flags
As always, user accounts with fewer user rights on the system could be less impacted than those who operate with administrative user rights.
For more information about this exploit, see https://sites.google.com/site/zerodayresearch/BadWinmail.pdf
A demo is available on YouTube
The OLE exploit is detailed here: #OLEOutlook - bypass almost every Corporate security control with a point’n’click GUI.
To mitigate this issue (and any new ones that crop up) you can configure Outlook to hide OLE attachments using group policy or setting a registry key.
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0
HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\12.0\Outlook\security DWORD: ShowOLEPackageObj Value: 0