Hackers can exploit flaws in these Microsoft apps to spy on macOS users
A cybersecurity group has discovered multiple vulnerabilities in apps Microsoft developed for macOS that could allow hackers to target users. The vulnerabilities affect apps including Microsoft Office, Outlook, Teams, OneNote and other apps from the Redmond-based company, and could allow hackers to gain access to a user’s camera and microphone by abusing Apple’s permissions framework on the desktop operating system. While Microsoft has released fixes for two of its apps on macOS, the other apps are still vulnerable to attackers.
Microsoft app vulnerabilities allow hackers to access camera and microphone without permission
Cybersecurity group Cisco Talos has revealed details of eight vulnerabilities discovered in Microsoft apps for macOS in a blog postThese flaws allowed hackers to inject specially crafted malicious libraries into six Microsoft apps: Outlook, Teams, PowerPoint, Excel, Word, and OneNote, thereby bypassing Apple’s permissions model on macOS.
How hackers can inject malicious libraries into legitimate apps on macOS
Photo Credit: Cisco Talos
To gain access to a user’s microphone and camera, malicious software must explicitly obtain permissions from the user, in accordance with Apple’s Transparency, Consent, and Control (TCC) framework on macOS. However, some malicious programs can use a process called library injection (or dylib injection on macOS) to gain access to permissions granted to other apps.
As a result, macOS users who had Microsoft apps installed on their computers could be vulnerable to hacking, according to Cisco Talos. The flaws allowed hackers to record audio by injecting libraries into the aforementioned apps. Microsoft Excel is the only app on the list that does not have access to the microphone, while apps like Microsoft Teams can also access the device’s camera.
Microsoft patches two affected apps, other apps remain vulnerable
The cybersecurity group says it reported the vulnerabilities to Microsoft, and that the company has since updated two of the affected apps with fixes for the flaws. Users running the latest versions of Microsoft Teams and OneNote should not be affected, but the company’s Outlook and Office apps are currently affected by the vulnerability.
According to Cisco Talos, Microsoft should not have disabled library validation because it exposes users to unnecessary risk by bypassing the stricter runtime protections Apple has implemented in the operating system, which are intended to protect users through TCC and its associated authorization model.
Apple could improve security on macOS by warning users when a third-party plugin is loaded into apps, as these apps may have already been granted permissions. This could warn users that these third-party plugins have access to the same permissions granted to the original app.
