Microsoft macOS Apps Vulnerability Allows Hackers to Record Audio/Video

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Post Sharing

Cisco Talos has identified eight security vulnerabilities in Microsoft applications running on the macOS operating system, raising concerns about potential exploitation by adversaries.

These vulnerabilities, if exploited, could allow attackers to hijack the permissions and entitlements of Microsoft applications, leading to unauthorized access to sensitive resources such as microphones, cameras, and user data.

The vulnerabilities revolve around the macOS security model, particularly its Transparency, Consent, and Control (TCC) framework.

This framework is designed to protect user privacy by requiring explicit user consent before applications can access sensitive resources. However,

Cisco Talos discovered that these Microsoft applications could be manipulated to bypass this permission model, allowing attackers to use existing app permissions without user verification.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

List of Affected Applications

The vulnerabilities were found in the following Microsoft applications, each identified by a corresponding CVE:

  • Microsoft Outlook (CVE-2024-42220)
  • Microsoft Teams (work or school) (CVE-2024-42004)
  • Microsoft PowerPoint (CVE-2024-39804)
  • Microsoft OneNote (CVE-2024-41159)
  • Microsoft Excel (CVE-2024-43106)
  • Microsoft Word (CVE-2024-41165)
  • Microsoft Teams WebView.app helper app (CVE-2024-41145)
  • Microsoft Teams com.microsoft.teams2.modulehost.app (CVE-2024-41138)

If an attacker successfully exploits these vulnerabilities, they could perform actions such as sending emails, recording audio, or capturing video without user knowledge. Microsoft has classified these issues as low risk and has declined to fix them, citing the need to allow loading of unsigned libraries for plugin support in some applications.

The vulnerabilities were discovered in two groups of apps: Microsoft Office apps (Word, Outlook, Excel, OneNote, PowerPoint) and Microsoft Teams apps (Teams, WebView.app, com.microsoft.teams2.modulehost.app).

All these apps are vulnerable to library injection attacks because they have the com.apple.security.cs.disable-library-validation entitlement set to true, allowing an attacker to inject any library and run arbitrary code within the compromised application.

For example, if an attacker injects a malicious library into Microsoft Outlook, they could send emails without user interaction. Similarly, if an attacker injects a library into Microsoft Teams, they could access the camera and microphone without triggering any pop-up notifications.

Understanding the macOS Security Model

Apple’s macOS employs a layered security model that includes TCC and entitlements to protect user privacy. While TCC requires user consent for accessing sensitive data, entitlements grant specific capabilities to applications.

However, the identified vulnerabilities highlight potential weaknesses in this model, particularly when trusted applications are compromised.

Microsoft has updated four of the vulnerable applications, removing the entitlement that allowed library validation to be disabled. However, Microsoft Excel, Outlook, PowerPoint, and Word remain vulnerable. Users are advised to be cautious and monitor application permissions through the macOS “Privacy & Security” settings.

The discovery of these vulnerabilities underscores the importance of robust security measures in software applications.

While the macOS security model provides significant protection, the potential for exploitation through trusted applications highlights the need for continuous vigilance and updates to security protocols.

Users are encouraged to stay informed about application permissions and to update software regularly to mitigate potential risks.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download