Six Microsoft applications on macOS are vulnerable to outside hackers, security researchers at Cisco Talos have discovered. Attackers can exploit flaws to access sensitive information, send emails, and record video and audio without any user interaction.
Outlook, Teams, PowerPoint, OneNote, Excel, and Word on macOS are all affected by separate flaws. Malicious actors can exploit these by injecting malicious libraries and gaining permissions to access microphone, camera, folders, screen recording, user input, and more.
Users wouldn’t even notice if threat actors sent emails. Recording audio clips, taking pictures, or recording videos requires no user interaction.
“An attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification. If successful, the adversary could gain any privileges already granted to the affected Microsoft applications,” the report explains.
Researchers identified eight vulnerabilities in total, three of which affect Microsoft Teams. Cisco Talos estimated a severity score of 7.1 out of 10.
However, Microsoft has “declined to fix the issues.” The tech giant “considers these issues low risk,” as applications would need to allow loading unsigned libraries to support plugins.
How can attackers exploit the flaw?
Apple macOS has strong security features, from app vetting and sandboxing to strict permission management. Enhanced protection goes beyond the capabilities of standard Discretionary Access Control (DAC) policy systems.
However, if a trusted app is injected with malicious code, it can then use all the permissions already granted to the app. The attackers can effectively hijack the running process and operate on behalf of the application itself.
MacOS counters this threat with a security feature called hardened runtime. It guards against malicious library injection attacks. However, some apps, including Microsoft Office apps, have library validation disabled, which allows the loading of plug-ins from third-party developers. Or hackers.
“As a result, all the office apps permit the loading of unsigned dynamic libraries. This poses a security concern because malware could exploit the apps’ permissions without proper authorization,” the report reads.
Researchers found a method to tamper with the app’s libraries by copying, modifying, and loading them from another folder, such as /tmp.
They question Microsoft's decision to disable library validation, as it circumvents the safeguards offered by the macOS’s hardened runtime feature.
Following the disclosure, Microsoft updated Teams and OneNote apps on macOS, and these apps are no longer vulnerable to the described scenario.
However, Excel, Outlook, PowerPoint, and Word remain open doors for attackers “to exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app.”
There is no clear way to securely handle third-party app plugins within the current macOS framework. That would require Microsoft or Apple to verify each plugin’s security and sign third-party modules. Researchers suggest that Apple introduce a user prompt to load a specific third-party plug-in.
Your email address will not be published. Required fields are markedmarked