Microsoft has just released an updated version of the Outlook app for Android that, according to information security specialists, fixes a significant severity security flaw. The email app has about 100 million active users.
In a security report, Microsoft reports that the Outlook application version 3.0.88 and earlier contains a cross-site scripting (XSS) vulnerability tracked as CVE-2019-1105. The flaw exists because of the way the app scans incoming emails.
According to the information security experts, if exploited, the vulnerability can help a remote threat actor to execute malicious client-side code on the target device; the hacker only needs to send a specially crafted email.
“After successfully exploiting this vulnerability, a hacker could perform XSS attacks on compromised systems by running scripts in the security context of any user,” the Microsoft report mentions.
According to the company’s information security team, the vulnerability was discovered by a group of independent researchers who notified the company in proper procedure for reporting vulnerabilities. Experts who discovered the flaw reported that it could lead to a identity spoofing attack.
Details about the attack or a proof of concept for the vulnerability are not yet available, and Microsoft reported that it has no evidence to prove that this attack has been exploited in the wild.
Specialists from the International Institute of Cyber Security (IICS) recommend Outlook for Android users check if their app has been updated automatically. Otherwise, the user must install the update manually from the official Google Play Store platform.
Multiple zero-day vulnerabilities have recently been reported in various Microsoft products, mainly Windows 10. The researcher known as Sandbox Escaper has reported at least five new security bugs over the past six months in services such as Remote Desktop, Windows Server and Windows 10 Sandbox.