Vulnerabilities in several Microsoft applications for macOS could allow attackers to bypass system permissions and perform various nefarious operations, according to Cisco.
The issues, affecting Outlook, Teams, PowerPoint, OneNote, Excel, and Word, could be exploited to send emails without the user’s knowledge, record audio or video, and take photos without user interaction.
Cisco claims the flaws allow attackers to bypass the operating system’s permissions model and gain the privileges already granted to the vulnerable applications, potentially leaking sensitive information.
Cisco identified eight vulnerabilities, explaining that all have the same root cause: attackers could inject unsigned libraries in Microsoft’s applications for macOS to potentially elevate privileges.
“A malicious application could inject a library and start the program to trigger this vulnerability and then make use of the vulnerable application’s permissions,” Cisco notes for each of the flaws.
Microsoft considers the bugs – CVE-2024-42220, CVE-2024-42004, CVE-2024-39804, CVE-2024-41159, CVE-2024-43106, CVE-2024-41165, CVE-2024-41145, and CVE-2024-41138 – low risk and, in some cases, has declined to address the issue, claiming that the software should support the loading of unsigned libraries – likely to support various plugins, Cisco says.
Cisco, however, which assigned all of them a ‘high severity’ rating, argues that the vulnerabilities allow attackers to bypass macOS’s policies that require all applications to explicitly request user permission before accessing protected resources.
This mechanism, which works in conjunction with entitlements (capabilities required for apps’ functionality), is meant to ensure that users are in control of their information and of which applications can access it.
Other security mechanisms in macOS include sandboxing, which restricts applications’ access to resources and data, and hardened runtime, which protects from code injection, such as library injection, which allows attackers to execute code in the process of another application.
According to Cisco, while many of Microsoft’s applications for macOS do employ hardened runtime, they also have a risky entitlement enabled, which allows an attacker to “inject any library and run arbitrary code within the compromised application” and exploit the app’s permissions and entitlements.
Microsoft Word, Excel, Outlook, OneNote, and PowerPoint, are affected, permitting the loading of unsigned dynamic libraries. The main Teams application is also affected, along with the WebView and com.microsoft.teams2.modulehost.app helper apps.
Depending on the entitlements of each application, attackers could perform various actions: except for Outlook, the Office apps allow for the sending of emails without user’s knowledge; except for Excel, they can record audio; and can be used to extract keychain entries belonging to a specific access group.
The entitlements for the main Teams app could allow attackers to access the camera and microphone. Those for one of the helper apps enable it to take photos, record audio, and exfiltrate data, while those for the second helper allow it to request audio recording permission.
Microsoft has updated the Teams apps and OneNote for macOS and removed the risky entitlement from them. The other four applications remain vulnerable, Cisco says.
“The vulnerable apps leave the door open for adversaries to exploit all of the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker,” Cisco argues.
Related: Apple Rolls Out Security Updates for iOS, macOS
Related: Microsoft Says Windows Not Impacted by regreSSHion as Second OpenSSH Bug Is Found
Related: Microsoft Message Queuing Vulnerabilities Allow Remote Code Execution, DoS Attacks
Related: New ‘powerdir’ Vulnerability in macOS Exposes Protected Data
