Several Microsoft productivity apps, built for the macOS operating system, are vulnerable in a way that allows hackers to steal sensitive data, record everything the user does on the device, record audio and video, and further escalate privileges.
That’s according to a new report from cybersecurity researchers at Cisco Talos, who claim that the vulnerabilities they discovered revolve around the way permissions are managed on macOS. In simple terms, the first time an app needs to access, say, the microphone, it will ask the user for explicit permission. After that, access remains enabled until the user once again explicitly denies it.
Therefore, by looking for applications that have already been granted broad permissions, threat actors can execute malicious operations on the targeted endpoint, the researchers concluded.
Microsoft Application Failures
To this end, the team claims to have identified eight vulnerabilities affecting six Microsoft applications:
CVE-2024-42220 (Perspectives)
CVE-2024-42004 (Teams – work or school) (main application)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – work or school) (WebView.app helper)
CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)
While this may seem like a major concern, Microsoft has a different impression. The company told researchers that there are too many variables, making it highly unlikely that these flaws would be exploited.
As a result, the company has no plans to patch the flaws, stating that “Microsoft considers these issues to be low risk and some of its applications, they claim, need to allow loading of unsigned libraries to support plug-ins and have declined to fix the issues,” the researchers said in the blog post.
However The Registry Microsoft has reported that it has updated its Teams and OneNote apps to remove the feature that allowed library injection, which was at the heart of the problem.
