Many Microsoft productivity apps designed for the macOS operating system are so vulnerable that hackers can steal sensitive data, record all user activities on the device, record audio and video, and further elevate user privileges.
This is according to a new report from cybersecurity researchers at Cisco Talos, who say the vulnerabilities they discovered are related to the way permissions are handled on macOS. Simply put, the first time an app needs to access the microphone, for example, it will ask the user for explicit permission. After that, access will remain enabled until the user explicitly denies it again.
By searching for apps that have already been granted extensive permissions, threat actors can therefore perform malicious actions on the target endpoint, the researchers concluded.
Errors in Microsoft apps
To this end, the team says it has identified eight vulnerabilities affecting six Microsoft applications:
CVE-2024-42220 (Outlook)
CVE-2024-42004 (Teams – Work or School) (Main App)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – Work or School) (Help app WebView.app)
CVE-2024-41138 (Teams – Work or School) (com.microsoft.teams2.modulehost.app)
While this may seem like a big problem, Microsoft has a different view. The company told researchers that there are too many variables, making exploitation of these vulnerabilities highly unlikely.
For this reason, the company has no plans to fix the vulnerabilities. The blog post states: “Microsoft considers these issues to be low-risk. Some of their applications reportedly need to allow the loading of unsigned libraries to support plug-ins. Microsoft has refused to fix the issues,” the researchers said.
However The Register has reported that Microsoft updated its Teams apps and OneNote to remove the feature that allowed library insertion, which was the crux of the problem.