Cisco Talos recently uncovered security vulnerabilities in several Microsoft apps for macOS that can potentially let attackers spy on your camera and other system components.
Talos claims to have found eight vulnerabilities in Microsoft apps for macOS, including Word, Outlook, Excel, OneNote, and Teams. These vulnerabilities allow attackers to inject malicious code into the apps, exploiting permissions and entitlements granted by the user.
For instance, attackers could access the microphone or camera, record audio or video, and steal sensitive information without the user’s knowledge. The library injection technique inserts malicious code into a legitimate process, allowing the attacker to operate as the compromised app.
Potential impact
The impact of vulnerabilities varies based on the application and its permissions. For instance, Microsoft Teams, widely used for professional communication, can be exploited to record conversations or access sensitive data.
Similarly, Microsoft Outlook can send unauthorized emails, potentially leading to data breaches.
Cisco Talos says that the applications use a feature called the com.apple.security.cs.disable-library-validation entitlement. This disables the security feature, preventing unsigned or untrusted library loading and making the applications vulnerable to library injection attacks.
Microsoft has acknowledged vulnerabilities found by Cisco Talos but considers them low risk. Some apps, like Microsoft Teams, OneNote, and the Teams helper apps, have been modified to remove the this entitlement, reducing vulnerability.
However, other apps, such as Microsoft Word, Excel, Outlook, and PowerPoint, still use this entitlement, making them susceptible to attacks. Microsoft has reportedly “declined to fix the issues,” because of the company’s apps “need to allow loading of unsigned libraries to support plugins.”
Understanding the macOS security model
Apple’s macOS is built with a layered security model to protect users from unauthorized access and data breaches. The Transparency, Consent, and Control (TCC) framework is central to the model, which governs how applications can access sensitive data such as the microphone, camera, and location services.
Additionally, macOS employs Discretionary Access Control (DAC) policies, which provide essential protection by restricting access to specific resources based on user permissions.
However, even with these security measures, vulnerabilities can still arise, mainly when apps are granted excessive permissions or security policies are circumvented. In the case of the Microsoft apps analyzed by Cisco Talos, exploiting these vulnerabilities could lead to unauthorized access to sensitive user data, such as the ability to record audio or video without the user’s consent.
For users, the best defense is to remain vigilant and ensure that their apps are regularly updated to the latest versions, which often include critical security patches. These findings remind developers of the importance of adhering to best security practices and avoiding unnecessary risks that could compromise user data.
Separately, in 2021, Cisco Talos reported on collaboration apps including Slack and Discord, being used to deliver and control malware.