Microsoft today released an update to the Microsoft Outlook Android app that fixes a critical vulnerability that allows attackers to execute malicious code on victims' smartphones by simply sending an email.
The Outlook app for Android is currently used by more than 100 million users, so the number of potential victims is immense. All versions prior to version 3.0.88 of the Outlook App for Android are susceptible to cross-site scripting (XSS) in the way they parse incoming email. A specially adapted e-mail from an attacker is enough to allow the client to execute malicious code in the Outlook app.
No knowledge about exploiting the vulnerability
The vulnerability is listed as CVE-2019-1105 as “Outlook for Android Spoofing Vulnerability”. According to Microsoft, it was reported by several security researchers independently. Technical details and a proof-of-concept of such an attack are not yet publicly available. So far, Microsoft has no knowledge that the vulnerability has been actively exploited by attackers.
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.
The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks in the security context of the current user.
The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages.
Update to version 3.0.88 of the app as soon as possible install
Updating the Outlook app for Android eliminates the risk of an attack. As of version 3.0.88 of the Android app, Microsoft's vulnerability has been resolved by adjusting the parsing of emails. Users of the Outlook App for Android will therefore be recommended to update the app via the Google Play Store as soon as possible, if it has not yet been automatically installed. However, in the changelog in the Google Play Store itself Microsoft does not give any indication of the importance of the update and the closed security gap.