Cisco Talos has identified eight security vulnerabilities in Microsoft applications running on the macOS operating system, raising concerns about potential exploitation by adversaries.
These vulnerabilities, if exploited, could allow attackers to hijack the permissions and entitlements of Microsoft applications, leading to unauthorized access to sensitive resources such as microphones, cameras, and user data.
The vulnerabilities revolve around the macOS security model, particularly its Transparency, Consent, and Control (TCC) framework.
This framework is designed to protect user privacy by requiring explicit user consent before applications can access sensitive resources. However,
Cisco Talos discovered that these Microsoft applications could be manipulated to bypass this permission model, allowing attackers to use existing app permissions without user verification.
List of Affected Applications
The vulnerabilities were found in the following Microsoft applications, each identified by a corresponding CVE:
- Microsoft Outlook (CVE-2024-42220)
- Microsoft Teams (work or school) (CVE-2024-42004)
- Microsoft PowerPoint (CVE-2024-39804)
- Microsoft OneNote (CVE-2024-41159)
- Microsoft Excel (CVE-2024-43106)
- Microsoft Word (CVE-2024-41165)
- Microsoft Teams WebView.app helper app (CVE-2024-41145)
- Microsoft Teams com.microsoft.teams2.modulehost.app (CVE-2024-41138)
If an attacker successfully exploits these vulnerabilities, they could perform actions such as sending emails, recording audio, or capturing video without user knowledge. Microsoft has classified these issues as low risk and has declined to fix them, citing the need to allow loading of unsigned libraries for plugin support in some applications.
The vulnerabilities were discovered in two groups of apps: Microsoft Office apps (Word, Outlook, Excel, OneNote, PowerPoint) and Microsoft Teams apps (Teams, WebView.app, com.microsoft.teams2.modulehost.app).
All these apps are vulnerable to library injection attacks because they have the com.apple.security.cs.disable-library-validation entitlement set to true, allowing an attacker to inject any library and run arbitrary code within the compromised application.
For example, if an attacker injects a malicious library into Microsoft Outlook, they could send emails without user interaction. Similarly, if an attacker injects a library into Microsoft Teams, they could access the camera and microphone without triggering any pop-up notifications.
Understanding the macOS Security Model
Apple’s macOS employs a layered security model that includes TCC and entitlements to protect user privacy. While TCC requires user consent for accessing sensitive data, entitlements grant specific capabilities to applications.
However, the identified vulnerabilities highlight potential weaknesses in this model, particularly when trusted applications are compromised.
Microsoft has updated four of the vulnerable applications, removing the entitlement that allowed library validation to be disabled. However, Microsoft Excel, Outlook, PowerPoint, and Word remain vulnerable. Users are advised to be cautious and monitor application permissions through the macOS “Privacy & Security” settings.
The discovery of these vulnerabilities underscores the importance of robust security measures in software applications.
While the macOS security model provides significant protection, the potential for exploitation through trusted applications highlights the need for continuous vigilance and updates to security protocols.
Users are encouraged to stay informed about application permissions and to update software regularly to mitigate potential risks.
(cybersecuritynews.com)
