update
A widely used Microsoft app for macOS is vulnerable to a library injection attack, allowing attackers to use application permissions to circumvent macOS's strict permission-based security model and controls.
Attackers could exploit vulnerable apps to perform a variety of malicious actions, such as secretly sending emails or recording audio and video clips from a user's account, without the user's knowledge or need for user interaction.
Cisco Talos researchers recently I discovered the problem Apple Transparency, Consent and ControlTCC) framework for managing and enforcing privacy settings for user data and various system services on a macOS system. One of the core functions of TCC is to control application access to sensitive user data and system features such as the camera, microphone, contacts, calendar, and location services.
Vulnerable apps
Cisco Talos researchers discovered that eight major Microsoft apps for macOS — Outlook, Teams, PowerPoint, OneNote, Excel, Word, and two other Teams-related components — could allow attackers to inject a malicious library into the apps' running processes. “That library could then effectively act on behalf of the application itself, with all the privileges already granted to the process,” Cisco Talos said in a report this week.
The issue identified by Cisco Talos is linked to Microsoft's decision to disable the app's library validation feature to allow third-party plugins to be loaded. “Permissions control whether an app can access resources such as microphone, camera, folders, screen recording, and user input. So if an attacker gains access to these resources, they could leak sensitive information or, in the worst case, escalate their privileges,” the researchers said.
Francesco Benvenuto, a vulnerability researcher at Cisco Talos, said organizations can't enable library validation on their own even if they wanted to: “Microsoft says it's required for the add-ins to work, but Talos couldn't get a clear explanation of which ones that is. All the add-ins we found were written in HTML5, so there was no need to disable this permission,” he said.
According to Cisco Talos, Microsoft has classified the issue as a low-severity threat and said it will not provide a fix. Nevertheless, after being notified of the issue, Cisco Talos said Microsoft appears to have updated the affected Teams and OneNote apps. However, four of Microsoft's macOS apps — Excel, Outlook, PowerPoint and Word — remain vulnerable, the security vendor said.
In an emailed statement, a Microsoft spokesperson downplayed the severity of the issues identified by Talos. “The instances disclosed do not pose a significant security risk as the techniques described require an attacker to already have some level of access to the system,” the statement said. “However, as detailed in the report, we have implemented several updates for additional protections. As a best practice, customers should keep their software up to date and regularly review application permissions.”
Apple's TCC weakened
Benvenuto says An attacker would need to run with the privileges of the user, either through a shell or a malicious application. “Injecting into these processes is relatively easy: an attacker can copy a binary to a writeable location, for example /tmp, and inject their own libraries.”
Sectigo senior vice president of products Jason Soroko said Microsoft's decision to classify the issues as low severity and not issue a fix is ​​potentially dangerous. “This approach overlooks the damage that could occur if an attacker exploits these vulnerabilities to compromise sensitive device features like the camera or microphone,” Soroko said. “By downplaying the threat, Microsoft risks underestimating the security threat. Attacker sophistication Even if it is a “minor” defect, Creative and disruptive methods“
Cisco Talos itself explains that the Microsoft app undermines the security and privacy protections of Apple's TCC framework. Unlike most other operating systems, which rely by default on what's called discretionary access control, TCC goes a step further and requires apps to get explicit user permission when trying to access certain content or services, such as contacts, calendar, photos, or access to the microphone or camera. TCC also supports the ability to specifically prevent applications from injecting code or libraries into running processes.
According to Cisco Talos, by disabling library validation, Microsoft is essentially allowing attackers to circumvent protections and sneak arbitrary libraries into the process where the app is running.
Soroko says the ease of exploiting the issue varies: “Library injection attacks require technical skill, but the fact that these vulnerabilities exist in widely used applications such as Teams and Outlook increases the risk profile. A well-informed attacker could potentially exploit these flaws, especially in environments with lax security practices.”
He recommends that organizations review and tighten app permissions and conduct monitoring for unusual activity.
This story was updated at 1:26 PM ET to include additional details from Cisco Talos, and again at 2:55 PM ET to reflect comment from Microsoft.