Microsoft apps like Word, Excel, Outlook, and Teams are so popular (and useful) that they're almost unavoidable on both Windows computers and Macs. But unpatched vulnerabilities can make these apps a haven for hackers on Apple Macs.
A cybersecurity research group has revealed that a security flaw in a Microsoft app on the Mac could allow hackers to access a user's photos, videos, contacts, and nearly all of their personal data.
The worst part is that Microsoft doesn't think this is a big enough threat to fix it.
For security alerts and expert tips, sign up for KURT's newsletter, The Cyberguy Report.
Vulnerability in Microsoft app exposes users to unauthorized data access
Cybersecurity Research Group Cisco Talos Security vulnerabilities have been discovered in Excel, OneNote, Outlook, PowerPoint, Teams, and Word that could allow attackers to inject malicious libraries into these apps and gain access to app permissions and user-granted permissions.
To understand why it's dangerous, let's first look at the macOS framework. Mac devices run on a permission-based system and rely on the Transparency, Consent, and Control (TCC) framework. You may have noticed that every time you download a new app, it asks for your permission to run. Similarly, when an app tries to access sensitive information such as your contacts, photos, or webcam, you are asked to allow or block the access.
This system ensures that users know and can trust which apps have access to their personal information. However, Apple does not allow just any app to access sensitive data, only apps that have the appropriate permissions – that is, apps that Apple has authorized to make such requests. Apps that do not have these permissions will not ask for permission to access sensitive data.
The aforementioned Microsoft apps have these permissions, and a security flaw in them could allow hackers to bypass permission requests and access sensitive information.
“We discovered eight vulnerabilities in various Microsoft applications for macOS that could allow attackers to circumvent the operating system's permission model by using existing app permissions without prompting the user for additional confirmation,” the researchers explained.
For example, hackers could design malicious software to read your e-mail or view your browsing history without your knowledge. “All apps except Excel have access to sensitive data, such as your email and web activity.” The group adds.
Massive health savings account data breach puts 4.3 million Americans at risk
Is Microsoft working on a fix?
“Microsoft considers these issues to be low risk and has refused to fix them in some of its apps, arguing that some of its apps need to allow the loading of unsigned libraries to support plugins,” Cisco's Talos research group said in a statement.
Microsoft has updated its Teams and OneNote apps on macOS to change how they handle library validation permissions, however Excel, PowerPoint, Word, and Outlook are still vulnerable to this vulnerability.
Cisco Talos has not provided any examples of how the vulnerability could be exploited in real-world attacks, nor has it yet confirmed whether hackers have used the flaw to access sensitive user information.
New Russian threat targets over 100 Apple MacOS browser extensions
Microsoft and Apple's response
We reached out to Microsoft and a company spokesperson provided the following statement:
“The published cases do not pose a significant security risk as the techniques described require the attacker to already have some level of access to the system. However, we have implemented some updates for additional protection, as detailed in the report. As a best practice, customers should keep their software up to date and regularly review application permissions.”
I also contacted Apple but did not receive a reply by deadline.
What can you do to protect your data?
Unless Microsoft fixes the vulnerability, there isn't much you can do to protect yourself in this situation. Still, here are some steps you can take to minimize the risk:
1. Keep your app up to date: Check regularly update Apply security updates to Microsoft apps using the Mac App Store or the Microsoft AutoUpdate tool. While not all vulnerabilities are fixed, updates often contain important security patches that reduce the risk of exploitation.
2. Restrict permissions: Go to macOS settings and review the permissions that have been granted to Microsoft apps. Unless absolutely necessary, disable access to sensitive data like your camera, microphone, contacts, and calendar. For example, if you rarely use the camera in Teams, you can revoke that access. To do so:
- Click Apple Menu in the top-left corner of the screen. System Settings
- In the System Settings window, scroll down “Privacy and Security” From the sidebar.
- The Privacy and Security section has various categories, including: Camera, microphone, contacts, calendar. Click on each category to see the apps you can access.
- Search for Microsoft apps in each category (Microsoft Teams, Outlook, etc.) Uncheck You can revoke access if you don't need it. For example, if you rarely use the camera in Teams, Uncheck In the camera section.
- Close the System Settings window Save your changes. The app will no longer be able to access the specified data unless you give it permission again.
The steps to restrict Microsoft app permissions are slightly different for older macOS versions. Here's how:
- Click Apple Menu in the top left corner of the screen. “System Preferences”
- In the System Preferences window, click“Security and Privacy”
- In the Security and Privacy window, “privacy” tab.
- On the left sidebar you will see different categories: Camera, microphone, contacts, calendar.
- click Each category Check which apps have access.
- To make changes, Lock Icon Click in the lower-left corner and enter your administrator password.
- find Microsoft apps (e.g. Microsoft Teams, Outlook) and uncheck it to revoke access if you don't need it.
- Close the Security and Privacy window Save your changes. The app will no longer be able to access the specified data unless you give it permission again.
These steps limit Microsoft apps on macOS's access to sensitive data, improving your privacy and security.
3. Consider alternatives: If you're concerned about security, consider using alternative office software that's less susceptible to these vulnerabilities. Apple's suite of productivity apps, including Pages, Numbers, and Keynote, are designed specifically for macOS and include strong security features. These apps can be used as alternatives to Word, Excel, and PowerPoint, respectively.
Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets, and Slides that can be accessed from any device and provide strong security measures. Switching to these alternatives can help reduce the risk of unauthorized data access and give you better control over your personal information.
4. Use powerful antivirus software: The best way to protect yourself from malicious links that can install malware and access personal information on your Mac is to have antivirus software installed on all your devices. This protection will also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. We've handpicked the winners of the best antivirus protection of 2024 for Windows, Mac, Android and iOS devices.
Serious security flaw puts Mac's most popular browser at risk
Important points about the cart
Microsoft apps like Word, Excel, Outlook, and Teams are essential tools for many, but vulnerabilities on macOS pose significant security risks. This discovery highlights how these apps can be exploited to access sensitive data without user consent. Despite the severity of these discoveries, Microsoft's decision not to address all vulnerabilities puts users at risk. It is important to remain vigilant by keeping apps up to date, restricting permissions, and considering alternative software solutions to protect your data. As technology evolves, so do threats, making security a priority is essential.
How should Microsoft take responsibility for ensuring user security and privacy in the wake of discovered application vulnerabilities? Please contact us below. Cyberguy.com/Contact Us
If you want to receive more of my tech tips and security alerts, subscribe to the free CyberGuy Report newsletter at the link below. Cyberguy.com/Newsletter
Have a question for Kurt or tell us the story you'd like to see featured?.
Follow Kurt on his social channels:
Answers to the CyberGuy's most frequently asked questions:
New Arrivals from Cart:
Copyright 2024 CyberGuy.com. All Rights Reserved.