Microsoft apps like Word, Excel, Outlook, and Teams are so popular (and useful) that it’s almost impossible to avoid them, whether you’re using a Windows computer or a Mac. But due to an unpatched security flaw, these apps can become a haven for hackers on Apple Macs.
A cybersecurity research group has revealed that Microsoft apps on Macs have a security flaw that could allow hackers to access your photos, videos, contacts, and almost all of your private data.
And the worst part? Microsoft doesn’t consider the threat big enough to fix.
GET SECURITY ALERTS AND EXPERT TIPS – SIGN UP FOR KURT’S NEWSLETTER HERE – THE CYBERGUY REPORT
Microsoft ad. (Microsoft)
Vulnerabilities in Microsoft apps expose users to unauthorized data access
The Cyber Security Research Group Cisco Talos has discovered security vulnerabilities in Excel, OneNote, Outlook, PowerPoint, Teams, and Word. These vulnerabilities allow attackers to inject malicious libraries into these apps, gaining access to the apps’ permissions and the permissions granted by the user.
To understand why this is dangerous, let’s first look at the framework of macOS. Mac devices operate on a permission-based system and rely on the Transparency, Consent and Control (TCC) framework. You’ve probably noticed that every time you download a new app, you’re asked to allow it to run. If an app wants to access sensitive information like contacts, photos or webcams, you’re asked to allow or block access.
This system ensures that you know and trust the apps that have access to your private information. However, Apple doesn’t allow every app to request access to sensitive data – only apps with the appropriate permissions, that is, apps that Apple has authorized to make such requests. Apps without these permissions don’t ask you for permission to access sensitive data.
The Microsoft apps mentioned above have these permissions and the vulnerability they contain allows hackers to bypass permission requests and access your confidential information.
“We identified eight vulnerabilities in various Microsoft applications for macOS that could allow an attacker to bypass the operating system’s permission model by using existing app permissions without prompting the user for additional verification,” the researchers explain.
For example, a hacker could develop malware that would read your emails or view your browsing history without your knowledge. “All apps except Excel can access sensitive data like your email and web activity.” adds the group.
Macs on a desk. (Kurt “CyberGuy” Knutsson)
4.3 million Americans at risk from massive data theft in health savings accounts
Is Microsoft working on a solution?
Microsoft considers the vulnerabilities to be “low risk” and has declined to fix them in some apps. “Microsoft considers these issues to be low risk and claims that some of their applications must allow the loading of unsigned libraries to support plug-ins and has declined to fix the issues,” the Cisco Talos research group said.
Microsoft has updated the Teams and OneNote apps on macOS to change how they handle library validation permission, but Excel, PowerPoint, Word, and Outlook remain vulnerable to the exploit.
Cisco Talos has not provided a working example of how this vulnerability could be exploited in real-world attacks. They also have not confirmed whether hackers have used the flaw to access users’ confidential information.
A woman works on her Mac laptop. (Kurt “CyberGuy” Knutsson)
A new Russian threat targets over 100 Apple macOS browser extensions
The response from Microsoft and Apple
We contacted Microsoft and a company spokesperson provided the following statement:
“The disclosed cases do not pose a significant security risk because the technique described requires that the attacker already has certain access to the system. However, we have implemented several updates for additional protection as described in the report. As a best practice, customers should keep their software up to date and regularly review application permissions.”
We also contacted Apple but did not receive a response by our deadline.
What can you do to protect your data?
In this situation, there’s not much you can do to protect yourself unless Microsoft fixes the vulnerability. Here are some steps you can take to minimize the risk.
1. Keep your apps up to date: Check regularly update to your Microsoft apps through the Mac App Store or the Microsoft AutoUpdate tool. While not all vulnerabilities may be fixed, updates often contain important security patches that reduce the risk of exploitation.
2. Restrict permissions: Go to your macOS settings and review the permissions granted to Microsoft apps. Unless absolutely necessary, disable access to sensitive data like your camera, microphone, contacts, and calendar. For example, if you rarely use the camera in Teams, you can revoke its access. Here’s how:
- Click on the Apple menu in the upper left corner of your screen and select “System Settings.”
- In the System Preferences window, scroll down and select “Data protection and security” from the sidebar.
- In the data protection and security section you will find various categories such as Camera, microphone, contacts and calendar. Click on each category to see which apps have access.
- For each category, find Microsoft apps (e.g. Microsoft Teams, Outlook) and Disable them to revoke access when it is not necessary. For example, if you rarely use the camera in Teams, you can deactivate it in the “Camera” section.
- Close the System Preferences window to save your changes. The apps will no longer have access to the data you provided unless you grant them access again.
On earlier versions of macOS, the steps to restrict permissions for Microsoft apps are slightly different. Here’s how to do it:
- Click on the Apple menu in the upper left corner of your screen and select “System Settings.”
- In the System Preferences window, clickSecurity and data protection.”
- In the Security and Privacy window, go to “Data protection” Tab.
- In the left sidebar you will see different categories like Camera, microphone, contacts and calendar.
- Click on every category to see which apps have access.
- To make changes, you may need to access the Lock symbol in the lower left corner and enter your administrator password.
- Find the Microsoft Apps (e.g. Microsoft Teams, Outlook) and disable them to revoke access if necessary.
- Close the Security and Privacy window to save your changes. The apps will no longer have access to the data you provided unless you grant them access again.
These steps will help ensure that Microsoft apps on your macOS have limited access to sensitive data, improving your privacy and security.
3. Consider alternatives: If you’re concerned about security, consider using alternative office software that’s less vulnerable to these vulnerabilities. Apple’s suite of productivity apps, including Pages, Numbers, and Keynote, are designed specifically for macOS and offer robust security features. These apps can serve as viable replacements for Word, Excel, and PowerPoint.
Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets, and Slides that are accessible from any device and offer strong security measures. By switching to these alternatives, you can reduce the risk of unauthorized data access and maintain greater control over your personal information.
4. Use strong antivirus software: The best way to protect yourself from malicious links that install malware and potentially access your private data on your Mac is to install antivirus software on all your devices. This protection can also warn you about phishing emails and ransomware scams, keeping your personal information and digital assets safe. Here you will find my selection of the best antivirus protection winners 2024 for your Windows, Mac, Android and iOS devices.
Massive security flaw endangers the most popular browsers on the Mac
Kurt’s most important insight
While Microsoft apps like Word, Excel, Outlook, and Teams are essential tools for many, their vulnerabilities on macOS pose significant security risks. The discovery shows how these apps can be exploited to access sensitive data without your consent. Despite the seriousness of these findings, Microsoft’s decision not to fix all of the vulnerabilities puts you in a precarious position. It’s critical that you stay vigilant by keeping your apps up to date, limiting permissions, and considering alternative software solutions to protect your data. As technology evolves, threats also evolve, making it imperative for you to prioritize security.
How should Microsoft take responsibility for your security and privacy in light of the vulnerabilities identified in its applications? Let us know by writing to Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report newsletter. Go to Cyberguy.com/Newsletter
Ask Kurt a question or tell us what stories you would like us to cover.
Follow Kurt on his social channels:
Answers to CyberGuy’s most frequently asked questions:
New from Kurt:
All rights reserved.
