A vulnerability found in Microsoft apps for macOS allowed hackers to spy on Mac users. Security researchers from Cisco Talos reported in a blog post how the vulnerability could be exploited by attackers and what Microsoft has been doing to fix the exploits.
Hackers can use Microsoft apps to access Mac users’ cameras and microphones
Cisco Talos, a cybersecurity group specializing in malware and system prevention, shared details on how a vulnerability in apps like Microsoft Outlook and Teams could lead attackers to access a Mac’s microphone and camera without the user’s consent. The attack is based on injecting malicious libraries into Microsoft apps to gain their entitlements and user-granted permissions.
Apple’s macOS has a framework known as Transparency Consent and Control (TCC), which manages app permissions to access things like location services, camera, microphone, library photos, and other files.
Each app needs an entitlement to request permissions from TCC. Apps without these entitlements won’t even ask for permissions, and consequently won’t have access to the camera and other parts of the computer. However, the exploit allowed malicious software to use the permissions granted to Microsoft apps.
“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” the researchers explain.
For example, a hacker could create malicious software to record audio from the microphone or even take photos without any user interaction. “All apps, except for Excel, have the ability to record audio, some can even access the camera,” the group adds.
Microsoft is working on a fix – but it doesn’t seem to be a priority
According to Cisco Talos, Microsoft considers this exploit to be “low risk” since it relies on loading unsigned libraries to support third-party plugins.
After the exploits were reported, Microsoft updated the Microsoft Teams and OneNote apps for macOS with changes to how these apps handle the library validation entitlement. However, Excel, PowerPoint, Word, and Outlook are still vulnerable to the exploit.
The researchers question why Microsoft had the need to disable library validation, especially when additional libraries are not expected to be loaded. “By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks.”
At the same time, the researchers note that Apple could also implement changes to the TCC to make the system more secure. The group suggests that the system should prompt users when loading third-party plugins into apps that already have granted permissions.
More details about the exploit can be found on the Cisco Talos blog.
Read also
- Security Bite: Apple (finally) making it harder to override Gatekeeper is a telling move
- Security Bite: Ranking my favorite new privacy features in iOS 18
- macOS Sequoia makes it harder to run apps that don’t follow Apple’s security rules
- macOS Sequoia will now prompt you monthly (not weekly) for screen recording permissions
FTC: We use income earning auto affiliate links. More.
Comments