CERT-In has issued an advisory to Android smartphone users who use Bing as their search engine. The advisory says, "Arbitrary code execution vulnerability has been reported in Microsoft Bing for Android which could allow remote attackers to execute arbitrary code and install arbitrary APK (Android application package file) on Android devices."
The cyber security agency has classified the threat as “medium.” The agency further alerted the users that the threat could lead to a possible virus attack which could “compromise” sensitive information stored on the phone.
Microsoft Bing 4.2.0 and prior versions have been reported to be vulnerable to the attack. The agency has suggested users using Bing, to upgrade their Bing apps to the latest 4.2.1 version and also use an anti-virus app on their phones.
Giving more info on the vulnerability, CERT-In says, “a flaw has been reported in Microsoft Bing for Android which could trigger while handling DNS (Domain Name System) responses on a secure network. An attacker could leverage this issue to executing arbitrary code within the context of the application. Successful exploitation of this vulnerability could allow an attacker to install arbitrary APK files via vectors involving a crafted DNS response, leading to the compromise of the device and resulting in information disclosure.”