Security flaws in Microsoft Mac apps could let attackers spy on users

AppleInsider

Cisco Talos recently uncovered security vulnerabilities in several Microsoft apps for macOS that can potentially let attackers spy on your camera and other system components.

Security flaws found in Microsoft apps for Mac

Talos claims

to have found eight vulnerabilities in Microsoft apps for macOS, including Word, Outlook, Excel, OneNote, and Teams. These vulnerabilities allow attackers to inject malicious code into the apps, exploiting permissions and entitlements granted by the user.

For instance, attackers could access the microphone or camera, record audio or video, and steal sensitive information without the user's knowledge. The library injection technique inserts malicious code into a legitimate process, allowing the attacker to operate as the compromised app.

Potential impact

The impact of vulnerabilities varies based on the application and its permissions. For instance, Microsoft Teams, widely used for professional communication, can be exploited to record conversations or access sensitive data.

Similarly, Microsoft Outlook can send unauthorized emails, potentially leading to data breaches.

Cisco Talos says that the applications use a feature called the com.apple.security.cs.disable-library-validation entitlement. This disables the security feature, preventing unsigned or untrusted library loading and making the applications vulnerable to library injection attacks.

Microsoft has acknowledged vulnerabilities found by Cisco Talos but considers them low risk. Some apps, like Microsoft Teams, OneNote, and the Teams helper apps, have been modified to remove the this entitlement, reducing vulnerability.

By opening a more privileged app and injecting a malicious library, the bad actor gains the capabilities of the exploited app.

However, other apps, such as Microsoft Word, Excel, Outlook, and PowerPoint, still use this entitlement, making them susceptible to attacks. Microsoft has reportedly "declined to fix the issues," because of the company's apps "need to allow loading of unsigned libraries to support plugins."

Understanding the macOS security model

Apple's macOS is built with a layered security model to protect users from unauthorized access and data breaches. The Transparency, Consent, and Control (TCC) framework is central to the model, which governs how applications can access sensitive data such as the microphone, camera, and location services.

Additionally, macOS employs Discretionary Access Control (DAC) policies, which provide essential protection by restricting access to specific resources based on user permissions.

However, even with these security measures, vulnerabilities can still arise, mainly when apps are granted excessive permissions or security policies are circumvented. In the case of the Microsoft apps analyzed by Cisco Talos, exploiting these vulnerabilities could lead to unauthorized access to sensitive user data, such as the ability to record audio or video without the user's consent.

For users, the best defense is to remain vigilant and ensure that their apps are regularly updated to the latest versions, which often include critical security patches. These findings remind developers of the importance of adhering to best security practices and avoiding unnecessary risks that could compromise user data.

Separately, in 2021, Cisco Talos reported on collaboration apps including Slack and Discord, being used to deliver and control malware.



Read on AppleInsider

rob53

Doesn't surprise me. Microsoft has been producing insecure software since the very beginning. Remember all the macro issues? Nothing has really changed.

mrstep

Microsoft - Number One InSecurity

williamh

Does Microsoft consider this to be a flaw or a feature?

DAalseth

No surprise. MS has always considered security to be a slapped on afterthought. They simply don’t prioritize it. 

Sigsgaard

My Macs have been Microsoft, Adobe and Google (software) free zones for at least 10 years, and my life has been all the better for it  

I must admit though, that I recently have installed Google Maps on my iPhone and iPad as my car runs Android Automotive and uses Google Maps for navigation, and it is nice to be able to plan trips on the phone or iPad and just send it to the car.

DAalseth

Sigsgaard said:

My Macs have been Microsoft, Adobe and Google (software) free zones for at least 10 years, and my life has been all the better for it .

I avoid all three as well. The only exception is my Mac that has MS Remote Desktop that I need for work. Other than that I stay away from them. 

BlueLightning

Recently read that 90% of high dollar cyber attacks exploit remote desk top as part of the attack.  I have no way to confirm, but seems plausible.  

Meson

Microsoft considers this low risk, because, let's be honest, no serious company is going to run their business on macs.

lotones

Sigsgaard said:

My Macs have been Microsoft, Adobe and Google (software) free zones for at least 10 years, and my life has been all the better for it  

I must admit though, that I recently have installed Google Maps on my iPhone and iPad as my car runs Android Automotive and uses Google Maps for navigation, and it is nice to be able to plan trips on the phone or iPad and just send it to the car.

DAalseth said:

Sigsgaard said:

My Macs have been Microsoft, Adobe and Google (software) free zones for at least 10 years, and my life has been all the better for it .

I avoid all three as well. The only exception is my Mac that has MS Remote Desktop that I need for work. Other than that I stay away from them. 

Same here for as long as I can remember. The only app I have installed from any of them is Google Earth, and I'm even giving that one serious side-eye lately... 

rob53

Meson said:

Microsoft considers this low risk, because, let's be honest, no serious company is going to run their business on macs.

I assume you should have added an /s at the end. I remember Delta Airlines mentioning they are seriously thinking about going to Apple products. Most publishing houses, big and small, are running on Apple hardware because it just runs better but it also runs longer, making their ROI much better. Many companies are required to run on Microsoft software because of business and legal (forced) requirements. This doesn't mean they'd really want to, they just are forced to continue paying for client licenses. Apple hardware is much easier to secure than Windows-based hardware. Checked out the government requirements for securing government systems. Apple has almost everything built into its operating systems while Microsoft requires a of extra software and tons of specialized configuration. 

disclaimer: I used to work for a large DOE contractor and helped Apple with government configuration requirements. This was back in the '90s and early 2000's. It tool Apple several years to bake in everything that's needed. Microsoft will never be close to Apple because it has to stay open enough to satisfy all the third-party hacks. Unfortunately, the efforts by the EU is breaking this baked in security because government organizations want to be able to hack into every single computerized device in the world.

danox

Meson said:

Microsoft considers this low risk, because, let's be honest, no serious company is going to run their business on Macs.

Like having third party companies in the OS Kernel low risk........

danvm

rob53 said:

Meson said:

Microsoft considers this low risk, because, let's be honest, no serious company is going to run their business on macs.

I assume you should have added an /s at the end. I remember Delta Airlines mentioning they are seriously thinking about going to Apple products. Most publishing houses, big and small, are running on Apple hardware because it just runs better but it also runs longer, making their ROI much better. Many companies are required to run on Microsoft software because of business and legal (forced) requirements. This doesn't mean they'd really want to, they just are forced to continue paying for client licenses. Apple hardware is much easier to secure than Windows-based hardware. Checked out the government requirements for securing government systems. Apple has almost everything built into its operating systems while Microsoft requires a of extra software and tons of specialized configuration. 

disclaimer: I used to work for a large DOE contractor and helped Apple with government configuration requirements. This was back in the '90s and early 2000's. It tool Apple several years to bake in everything that's needed. Microsoft will never be close to Apple because it has to stay open enough to satisfy all the third-party hacks. Unfortunately, the efforts by the EU is breaking this baked in security because government organizations want to be able to hack into every single computerized device in the world.

I think that most publishers use Macs because is the platform graphic designers prefer, and not necessarily because runs better, last longer or has a better ROI.  Most architectural firms and engineers use Windows.  Would you say it's because Windows is better, runs longer or has a better ROi?

In my opinion, both Windows and Mac are excellent operating systems. From what I've observed among my customers, Windows is just as reliable as Apple when operated on quality hardware. Many of them use Lenovo and HP business PCs without any issues. Some even have PCs that are 10 years old and the only upgrade they've required was an SSD drive.

Pema

So what else is new? Or news? So far as I am concerned Microsoft is one big Virus.