Microsoft has patched a vulnerability in Microsoft Outlook for Android, which opens the door to cross-site scripting (XSS) attacks.
The software giant said that CVE-2019-1105, rated “important,” is a spoofing vulnerability that exists in the way Microsoft Outlook for Android software parses specifically crafted email messages.
“An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim,” according to Microsoft’s Thursday advisory. “The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.”
XSS attacks allow malicious scripts to be injected into otherwise benign and trusted websites. According to OWASP, “XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.”
In a typical case involving email, an attacker could send the target an email with a link containing malicious JavaScript.
“If the victim clicks on the link, the HTTP request is initiated from the victim’s browser and sent to the vulnerable web application,” according to a Veracode writeup on XSS. “The malicious JavaScript is then reflected back to the victim’s browser, where it is executed in the context of the victim user’s session.”
Microsoft’s security update addresses the vulnerability by ensuring that Outlook for Android now parses those specially crafted email messages correctly, it added. Users should update their applications as soon as possible.
Outlook bugs are not uncommon. Last year, a vulnerability (CVE-2018-0950) in Microsoft Outlook was found that would allow hackers to steal a user’s Windows password just by having the target preview an email with a Rich Text Format (RTF) attachment that contained a remotely hosted OLE object.
“By convincing a user to preview an RTF email message with Microsoft Outlook, a remote, unauthenticated attacker may be able to obtain the victim’s IP address, domain name, user name, host name, and password hash,” according to the CERT description of the vulnerability, found by Will Dormann, a researcher with the CERT Coordination Center.