In recent findings by Cisco Talos, eight vulnerabilities were discovered in Microsoft applications for macOS, posing significant security risks. These vulnerabilities allow attackers to inject malicious libraries into trusted apps, exploiting their permissions without user consent. This could lead to unauthorized access to sensitive resources like microphones, cameras, and user data.

The Core Issue

Apple’s macOS employs a permission-based security model, with the Transparency, Consent, and Control (TCC) framework at its core. This model ensures that users have control over what applications can access, with permissions being explicitly granted through user prompts. However, these vulnerabilities in Microsoft’s macOS apps bypass this model, allowing attackers to hijack the permissions already granted to these apps, leading to potential unauthorized activities like recording audio, taking photos, or even sending emails without the user’s knowledge.

A Closer Look

At Burzcast, we extensively use, believe in, and implement Microsoft 365 for our clients worldwide. We trust Microsoft products and use them daily, standing behind their reliability. The vulnerabilities are particularly concerning in Microsoft Office and Teams apps, where a specific entitlement, com.apple.security.cs.disable-library-validation, is enabled. This entitlement allows the loading of unsigned dynamic libraries, a critical flaw that undermines the hardened runtime security feature in macOS. As a result, attackers can inject their malicious libraries, taking over the permissions granted to these apps.

The Impact

Once an attacker gains access, they can perform actions on behalf of the compromised app without triggering any user notifications. For instance, an attacker could use the permissions of Microsoft Teams to access the camera or microphone without the user’s knowledge. This makes these vulnerabilities especially dangerous, as they turn trusted apps into potential vectors for cyberattacks.

How Attackers Gain Access

To exploit these vulnerabilities, an attacker would need to either gain physical access to the target machine or deliver a pre-infected package. The attack involves techniques like "library injection" or "Dylib Hijacking," where the attacker inserts malicious code into a running application. This allows them to inherit all permissions granted to that app, enabling undetected access to sensitive resources. Such an attack is sophisticated and requires specific conditions, emphasizing the need for strong security practices.

Mitigation Strategies

To protect against these vulnerabilities, users and organizations should consider the following measures:

• Regular Updates: Ensure that all applications are regularly updated to the latest versions, as Microsoft has patched some of the vulnerabilities in recent updates.
• Application Security Settings: Review and adjust application security settings, especially the permissions granted to apps. Consider restricting unnecessary permissions.
• Use of Security Tools: If needed, employ advanced security tools and endpoint protection solutions.
• Awareness and Training: Educate users about the potential risks of granting permissions to applications and encourage them to be vigilant about unexpected behavior from their installed apps.
• Safe Downloads: Never download packages from unknown sources. Always use the official Microsoft 365 website to download client applications. If you're unsure how to do this securely, feel free to reach out to us for expert advice.

While Microsoft considers these vulnerabilities to be of low risk, the potential impact on user privacy and security is significant. By understanding these risks and implementing appropriate mitigation strategies, users and organizations can better protect their macOS environments from potential exploitation.