As we reported two days ago, Microsoft this week released an updated version of its Outlook app for Android that patches a severe remote code execution vulnerability (CVE-2019-1105) that impacted over 100 million users.
However, at that time, very few details of the flaw were available in the advisory, which just revealed that the earlier versions of the email app contained a cross-site scripting (XSS) flaw that could allow attackers to run scripts in the context of the current user just by sending a specially crafted email to the victims.
Now, Bryan Appleby from F5 Networks, one of the security researchers who reported this issue independently to Microsoft, released more details and proof-of-concept for the Outlook vulnerability that he reported to the tech giant almost six months ago.
In other words, the vulnerability resided in the way email server parses HTML entities in the email messages.
The vulnerability, Appleby said, allowed him to “steal data from the app—I could use it to read and extract the HTML.”
“This code can do whatever the attacker desires, up to and including stealing information and/or sending data back out. An attacker can send you an email and just by you reading it, they could steal the contents of your inbox. Weaponized, this can turn into a very nasty piece of malware.”
Appleby responsibly reported his findings to Microsoft on 10 December 2018, and the company confirmed the vulnerability on 26 March 2019 when he shared a universal PoC with the tech giant.
Besides Appleby, security researchers Sander Vanrapenbusch, Tom Wyckhuys, Eliraz Duek from CyberArk and Gaurav Kumar also reported the same issue to Microsoft separately in recent months.
Gaurav Kumar also shared a video with The Hacker News that demonstrates the vulnerability in action, as shown above.
Once again, if your Android device is not yet updated automatically, you are advised to update your Outlook app from Google Play Store manually.