A vulnerability has been discovered in a Microsoft app for macOS that could allow hackers to spy on Mac users. In a blog post, security researchers at Cisco Talos described how attackers could exploit the vulnerability and what Microsoft has been doing to fix it.
Hackers can use Microsoft apps to access Mac users' cameras and microphones
Cisco Talos, a cybersecurity group specializing in malware and system defense, has published details on how vulnerabilities in apps such as Microsoft Outlook and Teams could allow attackers to access a Mac's microphone and camera without the user's consent. The attack involves injecting a malicious library into Microsoft apps to obtain their permissions and the permissions granted by the user.
Apple's macOS has a framework called Transparency Consent and Control (TCC) that manages app permissions to access things like location services, the camera, microphone, photos in your library, and other files.
Each app needs the permission to request permissions from the TCC. Apps that don't have these permissions won't even ask for them and as a result won't have access to the camera or other parts of the computer. But this exploit allowed malicious software to use the permissions granted to Microsoft apps.
“We discovered eight vulnerabilities in various Microsoft applications for macOS that could allow attackers to circumvent the operating system's permission model by using existing app permissions without prompting the user for additional verification,” the researchers explained.
For example, hackers could create malicious software that could record audio from the microphone or take photos without user interaction. “All apps except Excel have the ability to record audio, and some have access to the camera,” the group added.
Microsoft is working on a fix, but it doesn't seem to be a priority.
According to Cisco Talos, Microsoft considers this exploit to be “low risk” because it relies on loading unsigned libraries to support third-party plugins.
After the exploit was reported, Microsoft updated its Microsoft Teams and OneNote apps for macOS to change how they handle library validation permissions, however Excel, PowerPoint, Word, and Outlook are still vulnerable to the exploit.
The researchers questioned why Microsoft needed to disable library validation, especially when the additional libraries were not supposed to be loaded: “By using this privilege, Microsoft could circumvent safeguards provided by the hardened runtime and expose users to unnecessary risk.”
At the same time, the researchers note that Apple could make changes to the TCC to make the system more secure: The group suggests that the system should prompt users when loading a third-party plugin into an app that is already allowed.
For more information on this exploit, see Cisco Talos Blog.
See also
FTC: We use automated affiliate links that generate revenue. more.