Microsoft has rolled out a fix for a Medium severity Outlook for Android bug that could enable spoofing at cross-site scripting (XSS). According to an advisory for CVE-2019-1460, the issues lies in how Outlook parses emails.
“An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim,” explained Microsoft. “The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.”
XSS works by injecting scripts into a user's webpages to trick the PC into believing they come from a trusted source. The Outlook vulnerability was found by security researcher Rafael Pablos.
Microsoft says the bug hasn't been exploited in the wild and considers it not publically disclosed. However, now that it's out in the open, it' s a good idea to update your app. Though there's no proof of concept, attackers could find the bug now that they know where to look and can compare versions.
Thankfully, a criminal looking to exploit the vulnerability would have to be on the same network as the user. Given the wide use of phones on public WiFi, that's not an insignificant risk, but at least you're safe if you never leave the house.