Microsoft has just released an updated version of the Outlook app for Android that, according to information security specialists, fixes a significant severity security flaw. The email app has about 100 million active users.
In a security report, Microsoft reports that the Outlook application version 3.0.88 and earlier contains a cross-site scripting (XSS) vulnerability tracked as CVE-2019-1105. The flaw exists because of the way the app scans incoming emails.
According to the information security experts, if exploited, the vulnerability can help a remote threat actor to execute malicious client-side code on the target device; the hacker only needs to send a specially crafted email.
“After successfully exploiting this vulnerability, a hacker could perform XSS attacks on compromised systems by running scripts in the security context of any user,” the Microsoft report mentions.
According to the company’s information security team, the vulnerability was discovered by a group of independent researchers who notified the company in proper procedure for reporting vulnerabilities. Experts who discovered the flaw reported that it could lead to a identity spoofing attack.
Details about the attack or a proof of concept for the vulnerability are not yet available, and Microsoft reported that it has no evidence to prove that this attack has been exploited in the wild.
Specialists from the International Institute of Cyber Security (IICS) recommend Outlook for Android users check if their app has been updated automatically. Otherwise, the user must install the update manually from the official Google Play Store platform.
Multiple zero-day vulnerabilities have recently been reported in various Microsoft products, mainly Windows 10. The researcher known as Sandbox Escaper has reported at least five new security bugs over the past six months in services such as Remote Desktop, Windows Server and Windows 10 Sandbox.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.