The bug codenamed as
“CVE-2019-1460” would allow an attacker to perform cross-site scripting (XSS) attacks on affected systems. The XSS attacks occur when malicious parties inject client-side scripts into the webpage. This tricks the unsuspecting user’s browser into thinking that the script has come from a trusted source. Microsoft further explains that this issue exists in the way Outlook for Android parses crafted email messages.
The attacker who has successfully exploited the vulnerability can perform cross-site scripting attacks. The attacker can also run scripts in the security context of the user. The problem exists due to insufficient sanitisation of user data. The vulnerability could allow hackers to steal sensitive information, change webpage appearance, and perform phishing attacks.
Microsoft has fixed the issue in its scheduled monthly patch. Outlook is a popular application on Android with over 100 million installations. This bug has posed a threat to millions of devices. Microsoft has fixed the issue in Android v4.0.65. The update changes the way Outlook phases specially crafted emails. The new method blocks the ability to perform cross scripting attacks.
While the vulnerability could potentially affect millions of users. Microsoft indicates that the vulnerability is not publicly known. Outlook users are recommended to update their app to the latest version.