MacBooks are generally very security-forward, but a few vulnerable Microsoft apps within macOS could expose your device to multiple malicious actions, like sending emails from your account without your knowledge, recording audio or video, or snapping photos with your webcam, it was revealed on Monday.
Cisco Talos Intelligence Group, a commercial threat intelligence team formed by the digital communications conglomerate Cisco, discovered these app vulnerabilities. The group was investigating the susceptibility of Apple's Transparency, Consent, and Control (TCC) framework.
...if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges.
Francesco Benvenuto, Cisco Talos
The TCC framework is responsible for sending permission requests to run new apps and letting you know when an app wants access to your contacts, photos, webcam, microphone, and more through what's called an entitlement.
Apple defines an entitlement as "a right or privilege that grants an executable partner capabilities."
With the vulnerabilities Cisco Talos found in its analysis, an attacker can inject malicious libraries into these apps to gain entitlements without user knowledge and, therefore, "gain any privileges already granted to the affected Microsoft applications."
Francesco Benvenuto, a senior security research engineer at Cisco Talos, writes in the blog post how the vulnerabilities could create wide-open access.
"Permissions regulate whether an app can access resources such as the microphone, camera, folders, screen recording, user input, and more.
"So if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges."
Apple employs two built-in methods in macOS to prevent library-injection malware attacks: sandboxing apps downloaded from the App Store so they can only access resources specified through entitlements and hardened runtime, which can stop malicious libraries from being run.
However, Cisco Talos isn't convinced these two protections would negate a malicious attack on the vulnerable Microsoft apps investigated.
Benvenuto writes, "Even though hardened runtime guards against library injection attacks and the sandbox secures user data and system resources, a malware might still find ways to exploit certain applications under specific conditions."
Specifically, the Microsoft apps looked at had a 'com.apple.security.cs.disable-library-validation' entitlement that Cisco Talos believes could "allow an attacker to inject any library and run arbitrary code within the compromised application," essentially gaining the ability to "exploit the application's full set of permissions and entitlements."
What do these discovered vulnerabilities mean for you?
Cisco Talos told Microsoft about the eight vulnerabilities, including:
- CVE-2024-42220 (Microsoft Outlook)
- CVE-2024-39804 (Microsoft PowerPoint)
- CVE-2024-41159 (Microsoft OneNote)
- CVE-2024-43106 (Microsoft Excel)
- CVE-2024-41165 (Microsoft Word)
- CVE-2024-42004 (Microsoft Teams for work or school, main app)
- CVE-2024-41145 (Microsoft Teams for work or school, WebView.app helper app)
- CVE-2024-41138 (Microsoft Teams for work or school, com.microsoft.teams2.modulehost.app)
According to Cisco Talos, Microsoft deemed all the vulnerabilities "low risk," and said that "some of their applications, they claim, need to allow loading of unsigned libraries to support plugins." Microsoft "declined to fix the issues" — at least, initially.
At the time of writing, The Register reports that Microsoft has issued updates for its Teams and OneNote apps, "removing the entitlement that allowed library injection, essentially mitigating the bugs."
The remaining apps — Outlook, PowerPoint, Excel, and Word — remain vulnerable to potential attacks, and it's not clear whether Microsoft intends to update them in the future.
The remaining apps — Outlook, PowerPoint, Excel, and Word — remain vulnerable to potential attacks, and it's not clear whether Microsoft intends to update them in the future.
As of right now, these app vulnerabilities aren't actively being exploited. Cisco Talos discovered Microsoft app vulnerabilities while investigating Apple's TCC framework, but there are no known malicious attacks to be aware of on any Microsoft apps mentioned.
If you have an outstanding update for Microsoft Teams or OneNote, download and install it as soon as possible. As for Microsoft's Office apps that remain vulnerable, the only thing you can do is keep them fully updated and monitor app permissions.
Go to Settings > Apps > Installed apps to check an app's permissions. Find the app in question, click the three horizontal dots to the right, and select Advanced Options from the pop-up menu to view its active permissions.
Should Microsoft update its other vulnerable apps, we'll surely hear about it and report back.
