Microsoft has patched a major vulnerability in the recent Microsoft outlook for Android. The vulnerability practically opens the door for cross-site scripting (XSS) attacks. The CVE-2019-1105 is termed as important by the Microsoft, the spoofing vulnerability that existing in the outlook allows the android software parses the specifically crafted email messages. According to the Thursday advisory issued by the Microsoft, an authenticated attacker could exploit the vulnerability by sending the specifically crafted messages to the victims. The attacker who has successfully exploited the vulnerability could then perform cross-site scripting attacks that result in systems getting affected while the run scripts in the security context of the current user.
XSS attacks allow malicious scripts to directly injected into newer and trusted websites. XSS attacks occur when an attacker uses a web application for transferring malicious code. It generally happens through in the form of a browser side script to a different user. The flaw that allows such attacks to succeed is quite widespread. What makes this attacks more lethal that it can occur along anywhere that uses web application input from a user while the output is generated without validating or encoding it. It’s a typical case that involves email an attacker could send the target an email with a link that contains malicious JavaScript.
If the victim clicks on the link, the HTTP request is initiated from the victim’s browser after that it’s directly sent to the vulnerable web application. The malicious Javascript is then reflected back to the victim’s browser, where it is then executed in the context of the user’s session. Outlook bugs aren’t new for the email users, the last year vulnerability CVE-2018-0950 in the Microsoft Outlook added that it could steal the users Windows password by having target preview an email with RTF attachment that contained the remotely hosted OLE object.