• The flaw was reported to be a spoofing vulnerability that could allow cybercriminals to carry out cross-site scripting.
  • It impacts versions prior to 3.0.88 of Outlook for Android, which has a total of over 100 million installations.

Microsoft has addressed a serious security vulnerability that was found in its Outlook for Android app. In its security advisory, the tech giant mentions that older versions prior to 3.0.88 of Outlook for Android carries a spoofing vulnerability that could permit attackers to conduct cross-site scripting (XSS) on devices with the app installed. Microsoft says that the flaw was the result of an issue with email parsing.

Worth noting

  • The vulnerability, designated as CVE-2019-1105, exists due to the way Outlook incorrectly parsed specially crafted email messages.
  • In the advisory, Microsoft tells that attackers could exploit this flaw by sending a specially crafted email message to victims.
  • Once exploited, attackers could subsequently perform XSS attacks and run malicious scripts.
  • However, Microsoft has mitigated the flaw in version 3.0.88 for the app. Users who have installed this app are advised to update to this version from Google Play Store.

No attacks reported

The vulnerability, which was discovered by many independent security researchers, was found to have not been abused by an attacker. As of now, no attacks were reported related to this XSS flaw.

Security concerns in email clients

Over the past few months, a host of serious vulnerabilities were discovered in popular email clients such as Thunderbird, Apple Mail, iOS Mail, as well as in Outlook. In fact, security researchers found that these clients could be easily compromised with a range of attacks that also included spoofing. All of this is an indication of how the aspect of security in email clients has become a growing concern.

Cyware Publisher