A critical vulnerability has been discovered in several popular Microsoft apps in Apple MacBook. The vulnerability could potentially allow hackers to steal user permissions from apps and gain unauthorized access to sensitive data like camera feeds and microphone recordings. The vulnerability reportedly affects a wide range of Microsoft apps for macOS, including Outlook, Teams, Word, Excel, PowerPoint and OneNote.
Vulnerability Details: Bypassing macOS Security Measures
The vulnerability was discovered by security researchers from Cisco Talos. In its report, the researchers highlighted that the vulnerability resides in the way Microsoft apps handle libraries.
Apple’s macOS has a framework known as Transparency Consent and Control (TCC), which manages app permissions to access things like location services, camera, microphone, library photos, and other files.
Each app needs an entitlement to request permissions from TCC. Apps without these entitlements won’t even ask for permissions, and consequently won’t have access to the camera and other parts of the computer. However, the exploit allowed malicious software to use the permissions granted to Microsoft apps.
“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” the researchers explained. By exploiting this vulnerability, attackers can inject malicious libraries into Microsoft apps on a Mac.
Once injected, these malicious libraries can leverage the existing permissions granted to the Microsoft app (such as camera and microphone access) to spy on users like the example in the above image. Additionally, these libraries can steal other user permissions, potentially giving attackers broader control over the system.
Potential Consequence of Vulnerability
The potential consequences of this vulnerability are severe. Hackers could exploit it to:
- Spy on Users: Gain unauthorized access to a user’s camera and microphone, potentially recording video and audio conversations.
- Steal Sensitive Data: Access and steal sensitive data stored on the Mac, including documents, emails, and passwords.
- Escalate Privileges: Gain elevated privileges within the system, allowing them to perform actions with greater control.
- Disrupt System Functionality: Malicious libraries could disrupt the normal operation
After researchers shared the report to Microsoft, the tech giant updated the Microsoft Teams and OneNote apps for macOS with changes to how these apps handle the library validation entitlement. However, Excel, PowerPoint, Word, and Outlook are still vulnerable to the exploit. Microsoft told researchers that it considered this exploit to be “low risk” since it relies on loading unsigned libraries to support third-party plugins.
What Mac Users Can Do?
While a permanent fix from Microsoft is still awaited, Mac users can take several steps to mitigate the risk associated with this vulnerability:
- Update Microsoft Apps: Regularly update your Microsoft apps to the latest versions. Updates often include security patches that address newly discovered vulnerabilities.
- Disable Unnecessary Permissions: Review and disable any permissions granted to Microsoft apps that you don’t consider essential. For example, if you don’t use video conferencing features in Teams, you can disable camera access for the app.
The report raised questions about the vulnerability of third-party plugins in Apple products.
“It’s also important to mention that it’s unclear how to securely handle such plug-ins within macOS’ current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security,” the report said.
“MacOS could also introduce a user prompt, akin to the resource permissions in TCC, enabling users to decide whether to load a specific third-party plug-in. This would provide a more controlled means of granting access without broadly compromising security,” it added.
