Microsoft Patches Spoofing Flaw in Windows Surface Mail App


Microsoft issued security updates for its Windows Store applications, addressing a spoofing vulnerability in its Windows Modern Mail app that could be used to trick users into believing they are on a trusted website.

The vulnerability could be used to get victims to give up account credentials and other sensitive data, Microsoft said in its advisory published Tuesday. The software giant gave the security update a moderate rating.

"Microsoft recommends that customers running this software apply the update as soon as possible using the Windows Store Apps update feature," Microsoft said.

[Related: Head-to-Head: Microsoft Surface Pro vs. Apple iPad 4]

Chester Wisniewski, senior security adviser at Sophos, said the Windows Modern Mail app vulnerability enables an attacker to mislead users by spoofing a link to a legitimate website. The problem is compounded by the fact that it happens on a tablet or mobile device, according to Wisniewski, where users may be more likely to click on a link.

"It's getting harder and harder to stop these kinds of problems," Wisniewski told CRN. "The problem is that most of the protocols of the Internet, including email, are built on a trust model and not security and you can't trust everything on the Web anymore."

Cisco Systems issued an alert to its customers indicating that the information disclosure vulnerability could aid an attacker in phishing or spoofing attacks.

The issue appears isolated to the Windows Modern Mail app and the way it renders HTML, said Alex Horan, a systems engineer and senior product manager at Boston-based penetration testing vendor Core Security Technologies. An attacker would likely try to use the vulnerability to either gain control of the device or attempt to steal an account credential, Horan said.

"The common reality is that users only have one password and if you can get [their password for] Facebook it will also work with their Gmail, Hotmail and even bank accounts," Horan told CRN.

The Microsoft security fix was incorporated with an update to its Mail, Calendar, People and Messaging app Tuesday, which added tweaks and feature improvements. The update also impacts Microsoft's calendar, removing support for synchronizing with Google Calendar. The synchronization feature is not supported because Google removed Exchange ActiveSync support from its servers, Microsoft said.

PUBLISHED MARCH 27, 2013