Cybersecurity researchers have said that a spoofing bug (CVE-2019-1105) could pave the way for an email attack chain. But Microsoft has patched the vulnerability in Outlook for Android, which opens the door to cross-site scripting (XSS) attacks. The company said that CVE-2019-1105 rated “important” is a spoofing vulnerability that exists in the way Microsoft Outlook for Android parses email messages.
“An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim,” a Microsoft advisory said. “The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user,” it added.
XSS attacks allow malicious scripts to be injected into otherwise benign and trusted websites. In a typical case involving email, an attacker could send the target an email with a link containing malicious JavaScript.
“If the victim clicks on the link, the HTTP request is initiated from the victim’s browser and sent to the vulnerable web application,” a Veracode article on XSS said. “The malicious JavaScript is then reflected back to the victim’s browser, where it is executed in the context of the victim user’s session.”
Microsoft’s security update addresses the vulnerability by ensuring that Outlook for Android now parses those specially crafted email messages correctly, it added. Users should update their applications as soon as possible.