Microsoft has recently patched their Outlook Mail app for Android against a severe vulnerability. This vulnerability could be leveraged to carry out XSS (cross-site scripting) attacks on users who has installed Outlook app in their Android smartphones. The vulnerability is assigned CVE ID of CVE-2019-1105.
An XSS attack is usually carried out by sending a specially designed email message with embedded malicious script that is loaded from a different remote site. When users open such email messages, the malicious script can perform certain actions like reading email messages or other data of the victim.
XSS attacks are not uncommon – even major websites like NYTimes have been used to carry out XSS attacks on their visitors in past. When a user visits such trustworthy websites, a malicious code is downloaded from a different site and is executed in the web browser. In desktop web browsers, you can install extensions like NoScript to block XSS attacks, but nothing much is possible if an smartphone app is vulnerable.
Microsoft has released an update to their Outlook app for Android. This new update (version 3.0.90) addresses this vulnerability and fixes all the problems related to it. As such all the Android users should update Outlook app to the latest available version to ensure that they are protected against the XSS vulnerability.
If you have not set Google Play store to automatically update the apps as the newer versions become available, then you may have to manually update the Outlook app. This can be done by launching Play store, looking for Outlook app and then tapping on the “Update” button.
Fortunately the iOS users who use iPhone are completely safe and the Outlook app for iPhone is not affected by any such vulnerability, possibly because different developer teams are involved in developing the apps for Android and iOS platforms.
For more information about this vulnerability, you can visit https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1105.