Security researchers from Cisco Talos have reported vulnerabilities in several Microsoft apps for macOS, which could potentially allow unauthorized access to users’ microphones and cameras.
The vulnerabilities affect popular apps such as Outlook, Teams, Excel, OneNote, and Word and exploit the macOS Transparency Consent and Control (TCC) framework, which manages app permissions for accessing sensitive features.
Normally, TCC ensures that apps ask for permission before accessing sensitive features like the camera and microphone. However, the vulnerabilities allow hackers to sneak in malicious code that uses the permissions already granted to Microsoft apps, bypassing the usual security checks.
In response, Microsoft has categorized these vulnerabilities as “low risk” due to the requirement of loading unsigned libraries for the exploit to occur. The libraries require hackers to load unsigned code, which is not straightforward. The company has fixed the Microsoft Teams and OneNote issue by changing how these apps handle certain permissions. But, Excel, PowerPoint, Word, and Outlook are still at risk because they need to support third-party plugins.
Cisco Talos has questioned Microsoft’s decision to disable library validation and said that it may expose users to unnecessary risks. They also suggest that Apple could improve its security system to alert users when new plugins are added to apps with existing permissions.
We ask users to keep their Microsoft applications updated and be cautious when installing untrusted plugins.
More here.