Windows 10: CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

Brink · Nov 26, 2019

MITRE CVE-2019-1460

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.

The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.

The security update addresses the vulnerability by correcting how Outlook iOS parses specially crafted email messages.

Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

[table][tr]Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service [/tr] [tr][td]No[/td] [td]No[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [/tr] [/table]

Security Updates

To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

[table][tr]Product Platform Article Download Impact Severity Supersedence [/tr] [tr][td]Microsoft Outlook for Android[/td] [td][/td] [td]Release Notes[/td] [td]Security Update[/td] [td]Spoofing[/td] [td]Important[/td] [td][/td] [/tr] [/table]

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgements

Rafael Pablos

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

[table][tr]Version Date Description [/tr] [tr][td]1.0[/td] [td]11/19/2019[/td] [td]Information published.[/td] [/tr] [/table]
Click to expand...

Source: https://portal.msrc.microsoft.com/en.../CVE-2019-1460

:)

Brink · Nov 26, 2019

CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

MITRE CVE-2019-1460

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.

The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.

The security update addresses the vulnerability by correcting how Outlook iOS parses specially crafted email messages.

Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

[table][tr]Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service [/tr] [tr][td]No[/td] [td]No[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [/tr] [/table]

Security Updates

To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

[table][tr]Product Platform Article Download Impact Severity Supersedence [/tr] [tr][td]Microsoft Outlook for Android[/td] [td][/td] [td]Release Notes[/td] [td]Security Update[/td] [td]Spoofing[/td] [td]Important[/td] [td][/td] [/tr] [/table]

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Acknowledgements

Rafael Pablos

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

[table][tr]Version Date Description [/tr] [tr][td]1.0[/td] [td]11/19/2019[/td] [td]Information published.[/td] [/tr] [/table]
Click to expand...

Source: https://portal.msrc.microsoft.com/en.../CVE-2019-1460

krzemien · Nov 26, 2019

CVE-2019-1105 - Outlook for Android Spoofing Vulnerability

Updated app on my Android device appeared literally within minutes of the above post.
One thing sadly is missing there: release notes do not contain any of the above...

Brink · Nov 26, 2019

CVE-2019-1105 - Outlook for Android Spoofing Vulnerability

A spoofing vulnerability exists in the way Microsoft Outlook for Android software parses specifically crafted email messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted email message to a victim.

The attacker who successfully exploited this vulnerability could then perform cross-site scripting attacks on the affected systems and run scripts in the security context of the current user.

The security update addresses the vulnerability by correcting how Outlook for Android parses specially crafted email messages.

Exploitability Assessment

The following table provides an exploitability assessment for this vulnerability at the time of original publication.

[table][tr]Publicly Disclosed Exploited Latest Software Release Older Software Release Denial of Service [/tr] [tr][td]No[/td] [td]No[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [td]Not Applicable[/td] [/tr] [/table]

Security Updates

To determine the support life cycle for your software version or edition, see the Microsoft Support Lifecycle.

[table][tr]Product Platform Article Download Impact Severity Supersedence [/tr] [tr][td]Microsoft Outlook for Android[/td] [td][/td] [td]Release Notes[/td] [td]Security Update[/td] [td]Spoofing[/td] [td]Important[/td] [td][/td] [/tr] [/table]

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

FAQ

How do I get the update for Outlook for Android?

Tap the Google Play icon on your home screen.

Swipe in from the left edge of the screen.

Tap My apps & games.

Tap the Update box next to the Outlook app.

Acknowledgements

Sander Vanrapenbusch

Tom Wyckhuys

Eliraz Duek, Or Ida, Nethanel Coppenhagen | CyberArk

Gaurav Kumar(0x01) @kumargaurav776

Bryan Appleby F5 Networks

See acknowledgements for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

[table][tr]Version Date Description [/tr] [tr][td]1.0[/td] [td]06/20/2019[/td] [td]Information published.[/td] [/tr] [/table]
Click to expand...

Source: https://portal.msrc.microsoft.com/en.../CVE-2019-1105

Windows 10: CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

CVE-2019-1460 - Outlook for Android Spoofing Vulnerability

CVE-2019-1460 - Outlook for Android Spoofing Vulnerability - Similar Threads - CVE 2019 1460

Vulnerability CVE-2021-36934

CVE-2020-0601 Windows CryptoAPI Spoofing Vulnerability Security Vulnerability Published:...

CVE-2019-1378 Windows 10 Update Assistant Vulnerability

CVE-2019-1255 Microsoft Defender Denial of Service Vulnerability

CVE-2019-1292 | Windows Elevation of Privilege Vulnerability

CVE-2019-1215 | Windows Elevation of Privilege Vulnerability

CVE-2019-1125 Windows Kernel Information Disclosure Vulnerability

CVE-2019-1105 - Outlook for Android Spoofing Vulnerability

CVE-2019-0627 - Windows Security Feature Bypass Vulnerability