Cisco Talos recently discovered eight vulnerabilities in various Microsoft 365 applications available on macOS. Through these vulnerabilities, hackers can bypass the macOS permission model by using existing app permissions without requesting any additional verification from the user. In simple terms, a hacker would be able to send emails from the user account, record audio clips, take pictures, or record videos without any permission from the user.
| Talos ID | CVE | App name |
| TALOS-2024-1972 | CVE-2024-42220 | Microsoft Outlook |
| TALOS-2024-1973 | CVE-2024-42004 | Microsoft Teams (work or school) |
| TALOS-2024-1974 | CVE-2024-39804 | Microsoft PowerPoint |
| TALOS-2024-1975 | CVE-2024-41159 | Microsoft OneNote |
| TALOS-2024-1976 | CVE-2024-43106 | Microsoft Excel |
| TALOS-2024-1977 | CVE-2024-41165 | Microsoft Word |
| TALOS-2024-1990 | CVE-2024-41145 | Microsoft Teams (work or school) WebView.app helper app |
| TALOS-2024-1991 | CVE-2024-41138 | Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app |
These vulnerabilities are based on a code injection technique in which malicious code is inserted into legitimate processes to access protected resources. Apple macOS already has security features like Hardened Runtime to protect against code injection. The Hardened Runtime feature prevents an app from loading frameworks, plug-ins, or libraries unless they’re either signed by Apple or signed with the same Team ID as the main app. However, the developer can override this feature by explicitly setting the com.apple.security.cs.disable-library-validation entitlement to true. Microsoft"s macOS applications have enabled this setting, which led to these 8 new vulnerabilities.
To counter this risk, sandboxing is required for apps distributed through the Mac App Store. Sandboxing is designed to restrict access to resources and data; a sandboxed app can only access the resources it has explicitly requested through entitlements, and access to some of those resources is further protected by a user consent pop-up.
For example, a sandboxed app will prompt the user for camera access only if it has the com.apple.security.device.camera entitlement set to true. If this entitlement is not present, the app won"t be allowed camera access, and consequently, the permission pop-up won"t even appear.
Talos reported these vulnerabilities to the Microsoft team. Microsoft responded that these issues are of low risk. Microsoft has designed these applications in such a way to allow the loading of unsigned libraries to support plugins, and it won"t be able to fix them. However, Microsoft has fixed these vulnerabilities for the following apps which do not support plugins:
- Microsoft Teams (work or school) app
- Microsoft Teams (work or school) Web
- Microsoft Teams (work or school)
- Microsoft OneNote
However, the following four apps remain vulnerable:
- Microsoft Excel
- Microsoft Outlook
- Microsoft PowerPoint
- Microsoft Word
While Microsoft"s decision to prioritize plugin functionality over security in certain apps might be understandable from a technical standpoint, it leaves users exposed to significant risks. While measures like notarization of third-party plug-ins could potentially mitigate such vulnerabilities, implementing them poses a complex challenge. It remains to be seen how Apple will address and prevent similar vulnerabilities on its platform in the future, striking a balance between functionality and robust security.
Source: Talos