PoC Released for Outlook Flaw that Microsoft Patched 6 Month After Discovery
Jun 22, 2019
As we reported two days ago, Microsoft this week released an updated version of its Outlook app for Android that patches a severe remote code execution vulnerability ( CVE-2019-1105 ) that impacted over 100 million users. However, at that time, very few details of the flaw were available in the advisory, which just revealed that the earlier versions of the email app contained a cross-site scripting (XSS) flaw that could allow attackers to run scripts in the context of the current user just by sending a specially crafted email to the victims. Now, Bryan Appleby from F5 Networks, one of the security researchers who reported this issue independently to Microsoft, released more details and proof-of-concept for the Outlook vulnerability that he reported to the tech giant almost six months ago. In a blog post published Friday, Appleby revealed that while exchanging some JavaScript code with his friends over an email, he accidentally discovered a cross-site scripting (XSS) issue th...