Published:2014/07/30  Last Updated:2016/11/22

JVN#72950786
Outlook.com for Android contains an issue where it fails to verify SSL server certificates

Overview

Outlook.com for Android contains an issue where it fails to verify SSL server certificates.

Products Affected

  • Outlook.com versions prior to 7.8.2.12.49.7090

Description

Outlook.com for Android contains an issue where it fails to verify SSL server certificates.

Impact

A man-in-the-middle attack may allow an attacker to eavesdrop on an encrypted communication.

Solution

Update the Software
Update to the latest version according to the information provided by the developer.

Vendor Status

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v2 AV:N/AC:H/Au:N/C:P/I:P/A:N
Base Score: 4.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)

Credit

Koki Takahashi of Sony Global Education, Inc reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2014-5239
JVN iPedia JVNDB-2014-000086

Update History

2014/08/26
Fixed information under "Impact"
2014/09/19
Information under the section "Other Information" was updated.
2016/11/22
Information under the section "Credit" was updated.