Hackers can exploit Microsoft macOS app vulnerabilities to bypass permissions

Cisco Talos recently discovered eight vulnerabilities in various Microsoft 365 applications available on macOS. Through these vulnerabilities, hackers can bypass the macOS permission model by using existing app permissions without requesting any additional verification from the user. In simple terms, a hacker would be able to send emails from the user account, record audio clips, take pictures, or record videos without any permission from the user.

Talos ID

CVE

App name

TALOS-2024-1972

CVE-2024-42220

Microsoft Outlook

TALOS-2024-1973

CVE-2024-42004

Microsoft Teams (work or school)

TALOS-2024-1974

CVE-2024-39804

Microsoft PowerPoint

TALOS-2024-1975

CVE-2024-41159

Microsoft OneNote

TALOS-2024-1976

CVE-2024-43106

Microsoft Excel

TALOS-2024-1977

CVE-2024-41165

Microsoft Word

TALOS-2024-1990

CVE-2024-41145

Microsoft Teams (work or school) WebView.app helper app

TALOS-2024-1991

CVE-2024-41138

Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app

These vulnerabilities are based on a code injection technique in which malicious code is inserted into legitimate processes to access protected resources. Apple macOS already has security features like Hardened Runtime to protect against code injection. The Hardened Runtime feature prevents an app from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same Team ID as the main app. However, the developer can override this feature by explicitly setting the com.apple.security.cs.disable-library-validation entitlement to true. Microsoft"s macOS applications have enabled this setting, which led to these 8 new vulnerabilities.

To counter this risk, sandboxing is required for apps distributed through the Mac App Store. Sandboxing is designed to restrict access to resources and data; a sandboxed app can only access the resources it has explicitly requested through entitlements, and access to some of those resources is further protected by a user consent pop-up.

For example, a sandboxed app will prompt the user for camera access only if it has the com.apple.security.device.camera entitlement set to true. If this entitlement is not present, the app won"t be allowed camera access, and consequently, the permission pop-up won"t even appear.

Talos reported these vulnerabilities to the Microsoft team. Microsoft responded that these issues are of low risk. Microsoft has designed these applications in such a way to allow the loading of unsigned libraries to support plugins, and it won"t be able to fix them. However, Microsoft has fixed these vulnerabilities for the following apps which do not support plugins:

  • Microsoft Teams (work or school) app
  • Microsoft Teams (work or school) Web
  • Microsoft Teams (work or school)
  • Microsoft OneNote

However, the following four apps remain vulnerable:

  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Word

While Microsoft"s decision to prioritize plugin functionality over security in certain apps might be understandable from a technical standpoint, it leaves users exposed to significant risks. While measures like notarization of third-party plug-ins could potentially mitigate such vulnerabilities, implementing them poses a complex challenge. It remains to be seen how Apple will address and prevent similar vulnerabilities on its platform in the future, striking a balance between functionality and robust security.

Source: Talos

Report a problem with article
Next Article

Microsoft releases redesigned Clipchamp mobile app with AI features for iOS devices

Previous Article

Apple's first robotic device to be reportedly made by Foxconn