Widely used Microsoft apps for macOS are vulnerable to library injection attacks that let adversaries use the applications’ entitlements to bypass macOS’s strict permission-based security model and controls.
Attackers can abuse the vulnerable apps to execute a variety of malicious actions — like surreptitiously sending emails from a user’s account or recording audio and video clips — without the user’s knowledge and without the need for any user interaction.
Researchers from Cisco Talos recently discovered the issues when researching the exploitability of Apple’s Transparency, Consent and Control (TCC) framework for managing and enforcing privacy settings on user data and various system services on macOS systems. One of TCC’s core functions is controlling an application’s access to sensitive user data and to system features like the camera, microphone, contacts, calendars, and location services.
Vulnerable Apps
Cisco Talos researchers found eight major Microsoft apps for macOS — Outlook, Teams, PowerPoint, OneNote, Excel, Word, and two other Teams-related components — allow attackers to inject a malicious library into the app’s running processes. “That library could use all the permissions already granted to the process, effectively operating on behalf of the application itself,” Cisco Talos said in a report this week.
The issue identified by Cisco Talos has to do with Microsoft’s decision to disable a library validation feature in the apps so as to allow the loading of third-party plug-ins. “Permissions regulate whether an app can access resources such as the microphone, camera, folders, screen recording, user input, and more. So, if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges,” the researchers said.
Cisco Talos has issued eight separate CVEs for the disabled library validation issue across the eight Microsoft apps for macOS.
Microsoft did not immediately respond to a Dark Reading request for comment. However, according to Cisco Talos, Microsoft has characterized the issue as a low-severity threat and has said it will not issue any fix for them. Even so, Microsoft does appear to have updated the affected Teams and OneNote apps after being notified of the problem, Cisco Talos said. But four Microsoft apps for macOS — Excel, Outlook, PowerPoint, and Word remain vulnerable — the security vendor said.
Apple’s TCC Undermined
Jason Soroko, senior vice president of product at Sectigo, says Microsoft’s decision to classify the issue as low-severity and opt not to issue a fix is potentially risky. “This approach overlooks the harm if attackers exploit these vulnerabilities to gain unauthorized access to sensitive device features like the camera or microphone,” Soroko says. “By downplaying the threat, Microsoft risks underestimating the ingenuity of attackers who could weaponize even ‘low severity’ flaws in creative and damaging ways.”
Cisco Talos itself has described the Microsoft apps as undermining the security and privacy protection of Apple’s TCC framework. Unlike most other operating systems that rely by default on what is known as Discretionary Access Control, TCC goes a step further in requiring apps to obtain explicit user permission when seeking to access certain content and services such as contacts, calendars, photos, and access to the microphone and camera. TCC also supports a feature that protects specifically against code and library injection into an application’s running processes.
By disabling library validation, Microsoft has essentially given an opening for attackers to do an end run around the protections and sneak an arbitrary library into the app’s running processes, Cisco Talos said.
Soroko says the ease of exploiting this issue varies. “While library injection attacks require technical skill, the fact that these vulnerabilities exist in widely used applications like Teams and Outlook increases the risk profile. An attacker with sufficient knowledge could exploit these flaws, particularly in environments with relaxed security practices.”
He recommends that organizations review and tighten app permissions and implement monitoring for unusual activity.