Security

Research

Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Windows giant tells Cisco Talos it isn't fixing them


Cisco Talos says eight vulnerabilities in Microsoft's macOS apps could be abused by nefarious types to record video and sound from a user's device, access sensitive data, log user input, and escalate privileges.

The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos it won't be fixing them. All eight can be seen below:

"Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues," said Francesco Benvenuto, senior security research engineer at Talos.

Apple's security model is permission-based and relies on the transparency, consent, and control (TCC) framework. For users familiar with macOS, it's what's responsible for requesting your permission to run new apps, and displays prompts when those apps want to access sensitive stores such as contacts, photos, webcams, etc.

TCC works with what Apple calls entitlements, of which only a few are available to software makers, and developers choose what entitlements they need to have enabled.

So, if they know their app has a feature that requires the device's microphone, they enable that entitlement. Once it's enabled, macOS notices it needs to ask the user if that's OK, and delivers a prompt to get their explicit consent.

The whole idea behind Talos's work here is that once these entitlements, permissions – whatever you want to call them – are set by the user, they stay set unless manually changed in macOS's system settings.

If an attacker can take advantage of the apps that have already been granted permission to do the things they want to, they no longer have to trick a target into running a shady program; they can just exploit Word instead, for example, and inject some code into Word's processes so they can access protected resources.

Apple counters this with a few methods. Sandboxed apps is one. Every macOS app downloaded from the App Store is sandboxed and these can only access the resources the devs specified through entitlements.

Hardened runtime is another protection that works alongside sandboxed apps. It's responsible for stopping malicious libraries from being run, other than those specified by the devs or Apple itself, and attackers from executing code via trusted apps.

Benvenuto said that some of Microsoft's most popular apps have entitlements enabled that allow them to disable security features introduced by Apple's hardened runtime, such as library validation.

"Even though hardened runtime guards against library injection attacks and the sandbox secures user data and system resources, malware might still find ways to exploit certain applications under specific conditions," the researcher said

"If successful, this would allow the attacker to assume the application's entitlements and permissions. It's important to note that not all sandboxed applications are equally susceptible. Typically, a combination of specific entitlements or vulnerabilities is required for an app to become a viable attack vector.

"The vulnerabilities we're addressing are relevant when an application loads libraries from locations an attacker could potentially manipulate. If the application has the com.apple.security.cs.disable-library-validation entitlement, it allows an attacker to inject any library and run arbitrary code within the compromised application. As a result, the attacker could exploit the application's full set of permissions and entitlements."

All the Microsoft apps in question are protected by hardened runtime and also disable library validation through entitlements, effectively disabling protection against malicious library injection, Benvenuto argued.

He also highlighted that the only plugins available to Microsoft's macOS apps are Office add-ins, meaning there is no apparent reason to open their apps to running plugins from third parties, as they did through the entitlements.

The researcher didn't go as far as to provide a working exploit of how the issue could be abused in real-world attacks. The investigation instead served more as reminder of the ways in which software vendors ship apps to macOS that might not be as secure as the user would believe. We asked Talos for a bit more on this and will update if they offer more information.

Despite designating these vulnerabilities low-risk status and refusing to patch them, Microsoft has since updated its Teams apps, and OneNote, removing the entitlement that allowed library injection, essentially mitigating the bugs.

The Office apps were left untouched, though, and to Benvenuto remain unnecessarily vulnerable.

El Reg approached Microsoft for a response, but there was no immediate reply. ®

Send us news
21 Comments

Microsoft tests 45% M365 price hikes in Asia-Pacific to see how much you enjoy AI

Won’t say if other nations will be hit, but will ‘listen, learn, and improve’ as buyers react – so far with anger

How Windows got to version 3 – an illustrated history

With added manga and snark. What's not to like?

Nominet probes network intrusion linked to Ivanti zero-day exploit

Unauthorized activity detected, but no backdoors found

Where does Microsoft's NPU obsession leave Nvidia's AI PC ambitions?

While Microsoft pushes AI PC experiences, Nvidia is busy wooing developers

Microsoft fixes under-attack privilege-escalation holes in Hyper-V

Plus: Excel hell, angst for Adobe fans, and life's too Snort for Cisco

Cryptojacking, backdoors abound as fiends abuse Aviatrix Controller bug

This is what happens when you publish PoCs immediately, hm?

Copilot invades Microsoft 365 Personal and Family for an extra three bucks a month

Many users less than impressed by unexpected arrival of AI assistant in Word

Microsoft sues 'foreign-based' cyber-crooks, seizes sites used to abuse AI

Scumbags stole API keys, then started a hacking-as-a-service biz, it is claimed

Zero-day exploits plague Ivanti Connect Secure appliances for second year running

Factory resets and apply patches is the advice amid fortnight delay for other appliances

Microsoft trims jobs as new year begins

Redmond claims tiny cuts are performance based

Microsoft preps for a year of enterprise-impacting M365 retirements

Hey administrators – buckle up. 2025 is going to be a wild ride

Russia's Star Blizzard phishing crew caught targeting WhatsApp accounts

FSB cyberspies venture into a new app for espionage, Microsoft says