Microsoft today released an update to the Microsoft Outlook for Android application that addresses a critical vulnerability that allows attackers to execute malicious code on victims' smartphones simply by sending an email.
The Outlook for Android application is currently used by more than 100 million users, so the number of potential victims is immense. All versions prior to version 3.0.88 of Outlook App for Android are susceptible to cross-site scripting (XSS) in the way they analyze received emails. A specially adapted email from an attacker is sufficient to allow the client to execute malicious code in the Outlook application.
No knowledge of exploiting vulnerability
The vulnerability is listed as CVE-2019-1105 as "Outlook for Android Spoofing Vulnerability". According to Microsoft, it has been reported by several security researchers independently. Technical details and a proof of concept of such an attack are not yet publicly available. So far, Microsoft is not aware that the vulnerability has been actively exploited by attackers.
A fake vulnerability exists in the way Microsoft Outlook for Android software parses specially crafted e-mail messages. An authenticated attacker can exploit the vulnerability by sending a specially crafted e-mail message to a victim.
The attacker who successfully exploited this vulnerability could execute cross-site scripting attacks in the security context of the current user.
The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted e-mail messages.
Upgrade to version 3.0.88 of the application as soon as possible install
Updating the Outlook application for Android eliminates the risk of an attack. As of version 3.0.88 of the Android application, the Microsoft vulnerability has been resolved by adjusting email scans. We therefore recommend that users of the Outlook for Android application update the app through the Google Play Store as soon as possible, if they have not yet been automatically installed. However, in the changelog in the Google Play Store itself Microsoft does not give any indication about the importance of the update and the security gap closed.