Creepy vulnerabilities found in Microsoft Apps for macOS: "Record audio clips, take pictures, or record videos without any user interaction."

MacBook Pro
(Image credit: NguyenDucQuang)

MacBooks are generally very security-forward, but a few vulnerable Microsoft apps within macOS could expose your device to multiple malicious actions, like sending emails from your account without your knowledge, recording audio or video, or snapping photos with your webcam, it was revealed on Monday.

Cisco Talos Intelligence Group, a commercial threat intelligence team formed by the digital communications conglomerate Cisco, discovered these app vulnerabilities. The group was investigating the susceptibility of Apple's Transparency, Consent, and Control (TCC) framework.

...if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges.

Francesco Benvenuto, Cisco Talos


The TCC framework is responsible for sending permission requests to run new apps and letting you know when an app wants access to your contacts, photos, webcam, microphone, and more through what's called an entitlement. 

Apple defines an entitlement as "a right or privilege that grants an executable partner capabilities."

With the vulnerabilities Cisco Talos found in its analysis, an attacker can inject malicious libraries into these apps to gain entitlements without user knowledge and, therefore, "gain any privileges already granted to the affected Microsoft applications." 

Francesco Benvenuto, a senior security research engineer at Cisco Talos, writes in the blog post how the vulnerabilities could create wide-open access.

"Permissions regulate whether an app can access resources such as the microphone, camera, folders, screen recording, user input, and more. 

"So if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges."

Apple employs two built-in methods in macOS to prevent library-injection malware attacks: sandboxing apps downloaded from the App Store so they can only access resources specified through entitlements and hardened runtime, which can stop malicious libraries from being run.

However, Cisco Talos isn't convinced these two protections would negate a malicious attack on the vulnerable Microsoft apps investigated. 

Benvenuto writes, "Even though hardened runtime guards against library injection attacks and the sandbox secures user data and system resources, a malware might still find ways to exploit certain applications under specific conditions."

Specifically, the Microsoft apps looked at had a 'com.apple.security.cs.disable-library-validation' entitlement that Cisco Talos believes could "allow an attacker to inject any library and run arbitrary code within the compromised application," essentially gaining the ability to "exploit the application's full set of permissions and entitlements."

What do these discovered vulnerabilities mean for you?

Cisco Talos told Microsoft about the eight vulnerabilities, including:

  1. CVE-2024-42220 (Microsoft Outlook)
  2. CVE-2024-39804 (Microsoft PowerPoint)
  3. CVE-2024-41159 (Microsoft OneNote)
  4. CVE-2024-43106 (Microsoft Excel)
  5. CVE-2024-41165 (Microsoft Word)
  6. CVE-2024-42004 (Microsoft Teams for work or school, main app)
  7. CVE-2024-41145 (Microsoft Teams for work or school, WebView.app helper app)
  8. CVE-2024-41138 (Microsoft Teams for work or school, com.microsoft.teams2.modulehost.app)

MacBook Air 15 M3 lid closed on a slatted wooden table

(Image credit: Laptop Mag/Sean Riley)

According to Cisco Talos, Microsoft deemed all the vulnerabilities "low risk," and said that "some of their applications, they claim, need to allow loading of unsigned libraries to support plugins." Microsoft "declined to fix the issues" — at least, initially.

At the time of writing, The Register reports that Microsoft has issued updates for its Teams and OneNote apps, "removing the entitlement that allowed library injection, essentially mitigating the bugs."

The remaining apps — Outlook, PowerPoint, Excel, and Word — remain vulnerable to potential attacks, and it's not clear whether Microsoft intends to update them in the future.

The remaining apps — Outlook, PowerPoint, Excel, and Word — remain vulnerable to potential attacks, and it's not clear whether Microsoft intends to update them in the future.

As of right now, these app vulnerabilities aren't actively being exploited. Cisco Talos discovered Microsoft app vulnerabilities while investigating Apple's TCC framework, but there are no known malicious attacks to be aware of on any Microsoft apps mentioned.

If you have an outstanding update for Microsoft Teams or OneNote, download and install it as soon as possible. As for Microsoft's Office apps that remain vulnerable, the only thing you can do is keep them fully updated and monitor app permissions.

Go to Settings > Apps > Installed apps to check an app's permissions. Find the app in question, click the three horizontal dots to the right, and select Advanced Options from the pop-up menu to view its active permissions.

Should Microsoft update its other vulnerable apps, we'll surely hear about it and report back.

Category
Arrow
Arrow
Back to Apple MacBook Pro
Brand
Arrow
Processor
Arrow
RAM
Arrow
Storage Size
Arrow
Screen Size
Arrow
Colour
Arrow
Screen Type
Arrow
Condition
Arrow
Price
Arrow
Any Price
Showing 10 of 476 deals
Filters
Arrow
Load more deals
Sarah Chaney
Contributing Writer

Sarah Chaney is a freelance tech writer with five years of experience across multiple outlets, including Mashable, How-To Geek, MakeUseOf, Tom’s Guide, and of course, Laptop Mag. She loves reviewing the latest gadgets, from inventive robot vacuums to new laptops, wearables, and anything PC-related. When she's not writing, she's probably playing a video game, exploring the outdoors, or listening to her current favorite song or album on repeat.