Cybersecurity experts with Google Security Research on Monday announced that Android users relying on Outlook may be at risk of cyberattack. There is a vulnerability within the Android version of Outlook, Microsoft’s free email app, that may allow for directory traversal attacks. The goal of a directory traversal attack is to use an affected app to gain unauthorized access to your device’s file system.
When you download an email attachment, it’s typically stored in a file system accessible to both the Outlook app and other apps on your phone or device. Code embedded within attachments tells your device where to store these files within its file system. If this code has been manipulated to exploit security holes, it could allow access to areas outside the root directory. Unfortunately, within Outlook, there isn’t anything to prevent this from happening: downloading an attachment into which malicious code has been injected could allow attackers to
- access restricted directories
- execute commands outside of a device’s root directory
If able to step outside the root directory, attackers could potentially access restricted files stored elsewhere on your mobile device and, similarly, write files anywhere within the file system to which Outlook has access. With access to such files, attackers can then access additional information needed to further compromise the file system and your device—without user interaction.
This bug does have its limitations, however.
- Those using Hotmail don’t have to worry; the Hotmail service sanitizes files on its web servers. Those not using Hotmail, however, are vulnerable.
- The affected file cannot overwrite an existing file. If the file already exists, the attachment will be appended to the existing file.
- Users must click attached images to view them. Viewing the thumbnail image within a message is insufficient to execute this bug; the image must actually be opened and downloaded.
The best way to protect yourself from this newly reported vulnerability is to avoid downloading attachments using the Outlook app until Microsoft releases security patches. Digital Link will continue to monitor this issue and provide updates as they become available.