Microsoft recently disclosed a vulnerability in Outlook for Android that risked millions of devices. Exploiting the bug could permit cross-site scripting attacks on target devices.
Microsoft Outlook For Android Vulnerability
Microsoft has warned users of a vulnerability affecting its Outlook app for Android. As elaborated, it was an easy-to-exploit bug that required an attacker to simply send a maliciously crafted email to the victim.
Describing the vulnerability, CVE-2019-1460, in an advisory, Microsoft stated,
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.
As a result, the attacker could then perform XSS attacks in the context of the current user.
The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.
Microsoft disclosed this vulnerability following its scheduled monthly Patch Tuesday updates.
Microsoft Outlook is a popular application on Android that currently boasts over 100 million installations. It means this bug potentially posed a threat to millions of devices.
This XSS vulnerability first caught the attention of security researcher Rafael Pablos. Microsoft have rolled out a fix for this bug by addressing the way Microsoft Outlook parses specially crafted messages. They have also acknowledged the researcher for this flaw.
To stay protected from potential attacks, users using Microsoft Outlook on their Android devices must they update the app.
Researchers from Symantec have also recommended some precautionary steps to follow. These include,
- Running all software as non-privileged users with minimum permissions
- Monitoring traffic for suspicious activities
- Avoiding links from untrusted sources
- Disabling script code and active content in web browsers
Let us know your thoughts in the comments.