As we reported two days ago, Microsoft this week released an updated version of its Outlook app for Android that patches a severe remote code execution vulnerability (CVE-2019-1105) that impacted over 100 million users.
However, at that time, very few details of the flaw were available in the advisory, which just revealed that the earlier versions of the email app contained a cross-site scripting (XSS) flaw that could allow attackers to run scripts in the context of the current user just by sending a specially crafted email to the victims.
Now, Bryan Appleby from F5 Networks, one of the security researchers who reported this issue independently to Microsoft, released more details and proof-of-concept for the Outlook vulnerability that he reported to the tech giant almost six months ago.
In other words, the vulnerability resided in the way email server parses HTML entities in the email messages.
The vulnerability, Appleby said, allowed him to “steal data from the app—I could use it to read and extract the HTML.”
“This code can do whatever the attacker desires, up to and including stealing information and/or sending data back out. An attacker can send you an email and just by you reading it, they could steal the contents of your inbox. Weaponized, this can turn into a very nasty piece of malware.”
images from Hacker News