Microsoft has released an update for Microsoft Outlook for Android that fixes a spoofing vulnerability in the application that could allow an attacker to compromise the device.
This new vulnerability is titled “CVE-2019-1460 | Outlook for Android Spoofing Vulnerability” and it allows potential attackers to create specially crafted emails that could launch scripts on the device in the security context of the user when opened.
A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.
The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.
Microsoft Outlook for Android version 4.0.65 has been released to change how Outlook parses these specially crafted email messages so that they cannot perform cross-site scripting attacks.
While Microsoft indicates that this vulnerability is not publicly known and that it has never been exploited, its Google Play Store entry states that Microsoft Outlook for Android has over 100 million installs, making it a large user base to target if the app is not updated.
Due to the large base of users, this could be an attractive vulnerability for attackers to reverse engineer by downloading the previous version of Microsoft Outlook for Android and comparing it with this new version to try and locate the vulnerability and create an exploit.
If you have disabled automatic app updates in Android, it is strongly advised that you download and install the latest version from Google Play now to stay protected.