You got (malicious) mail
A severe vulnerability in Microsoft Outlook for Android that could allow an attacker to takeover a victim’s device has been fixed.
The security issue could enable a malicious actor to execute a cross-site scripting (XSS) exploit on any Android smartphone or tablet using the email client.
This is due to the way the software parses “specifically crafted email messages”, Microsoft said.
An attacker could seize the opportunity to send emails containing malicious JavaScript code due to a function within how a message is rendered in the application.
“The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user,” Microsoft said.
The vulnerability (CVE-2019-1105) was discovered, in part, by researchers at CyberArk Labs.
CyberArk Labs said that it notified Microsoft of the security flaw in January this year through the company's responsible disclosure process.
The cybersecurity firm also detailed the attack proof-of-concept in a blog post.
“When we extract the Outlook’s APK, we will find under the assets directory a JavaScript file called emailRenderer-android.js,” CyberArk Labs writes.
“As its name implies, this JavaScript renders the content of the message viewable to the user.
“Inside this script there is a function called ‘layout’ that calls a function named _linkifyPhoneNumbers.”
An attacker can match the latter function to deliver a payload.
“After converting the numbers into a link, there is no other escaping on the content,” CyberArk said.
“Therefore, an attacker can send a message containing a number that matches the regular expression and, after converting it to a link, the counter will increase and replace the original message with an unescaped version of the message.”
A fix was released on June 20, and an advisory from the US government via the Cybersecurity Infrastructure Security Agency (CISA) immediately followed.
“The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages,” Microsoft said.
Outlook for Android has been downloaded more than 100 million times on the Google Play store.
The webmail service remains one of the top 10 email clients for both desktop and mobile.