According to Cisco Talos, eight vulnerabilities in Microsoft’s macOS apps could be abused by criminals to record video and audio from a user’s device, access sensitive data, log user input, and elevate privileges.
The vulnerabilities exist in Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos that they will not be fixed. All eight can be seen below:
-
CVE-2024-42220 (Outlook)
-
CVE-2024-42004 (Teams – Work or School) (Main App)
-
CVE-2024-39804 (PowerPoint)
-
CVE-2024-41159 (OneNote)
-
CVE-2024-43106 (Excel)
-
CVE-2024-41165 (Word)
-
CVE-2024-41145 (Teams – Work or School) (Help app WebView.app)
-
CVE-2024-41138 (Teams – Work or School) (com.microsoft.teams2.modulehost.app)
“Microsoft considers these issues to be low risk, claiming that some of their applications must allow the loading of unsigned libraries to support plug-ins. Microsoft has refused to fix the issues,” said Francesco Benvenuto, senior security research engineer at Talos.
Apple’s security model is permission-based and is based on the Transparency, Consent, and Control (TCC) framework. For users familiar with macOS, it is responsible for requesting your permission to run new apps and displays prompts when those apps want to access sensitive storage like contacts, photos, webcams, etc.
TCC works with so-called “permissions”, of which only a few are available to software manufacturers. The developers then choose which permissions they need to enable.
So if they know that their app has a feature that requires the device’s microphone, they enable that permission. Once enabled, macOS recognizes that it needs to ask the user if that’s OK and delivers a prompt to get their explicit consent.
The basic idea behind how Talos works is that once these permissions – whatever you want to call them – are set by the user, they will persist unless they are manually changed in macOS System Preferences.
If an attacker can exploit the apps that have already been granted permission to do the things they want, they no longer need to trick their victim into running a shady program; instead, they can simply exploit Word, for example, and inject code into Word’s processes to access protected resources.
Apple addresses this with a few methods. Sandboxed apps are one of them. Every macOS app downloaded from the App Store is sandboxed and can only access the resources that the developers have specified through permissions.
A hardened runtime is another protection that works in conjunction with sandboxed apps. It prevents malicious libraries not specified by the developers or Apple itself from running and prevents attackers from executing code through trusted apps.
Benvenuto said some of Microsoft’s most popular apps have permissions enabled that allow them to disable security features introduced by Apple’s hardened runtime, such as library validation.
“Even though a hardened runtime environment protects against library injection attacks and the sandbox secures user data and system resources, malware can still find ways to exploit certain applications under certain conditions,” the researcher said.
“If successful, the attacker could take over the application’s permissions and privileges. It is important to note that not all sandboxed applications are equally vulnerable. Typically, a combination of specific permissions or vulnerabilities is required for an app to become a viable attack vector.
“The vulnerabilities we are addressing are relevant when an application loads libraries from locations that an attacker could potentially tamper with. If the application has the com.apple.security.cs.disable-library-validation permission, an attacker could inject any library and execute arbitrary code within the compromised application. This would allow the attacker to exploit the application’s full set of permissions and privileges.”
All affected Microsoft apps are protected by a hardened runtime and also disable library validation through permissions, effectively removing protection against malicious library injection, Benvenuto argued.
He also stressed that only the Office add-ins are available for Microsoft’s macOS apps, so there is no apparent reason to open the apps to run third-party plug-ins, as was done via the permissions.
The researcher did not go so far as to provide a working exploit showing how the issue could be abused in real-world attacks. The research served more as a reminder of how software vendors provide apps for macOS that may not be as secure as the user would believe. We have reached out to Talos for more information and will keep you updated if they offer more information.
Although Microsoft rated these vulnerabilities as low risk and refused to patch them, the company has since updated its Teams apps and OneNote to remove the permission that allowed library injection, essentially containing the flaws.
However, the Office apps remained untouched and remain unnecessarily vulnerable to Benvenuto.
El Reg I contacted Microsoft and asked for an answer, but there was no immediate response. ®
