A number of Microsoft productivity apps developed for the macOS operating system are vulnerable, allowing hackers to steal sensitive data, record everything the user does on the device, capture audio and video, and further escalate privileges.
This is according to a new report from cybersecurity researchers at Cisco Talos, who said the vulnerabilities they discovered revolve around the way permissions are handled on macOS. In layman’s terms, the first time an app needs access to something like the microphone, it will ask the user for explicit permission. After that, access will remain enabled until the user explicitly denies it again.
By preying on apps that have already been granted extensive permissions, attackers can perform malicious operations on the target endpoint, the researchers concluded.
Microsoft App Errors
The team says they have identified eight vulnerabilities affecting six Microsoft applications:
CVE-2024-42220 (Outlook)
CVE-2024-42004 (Teams – work or school) (main application)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – work or school) (WebView.app helper app)
CVE-2024-41138 (Teams – Work or School) (com.microsoft.teams2.modulehost.app)
While this may seem like a big problem, Microsoft has a different impression. The company told researchers that there are too many variables, making it highly unlikely that these flaws will be exploited.
The company has no plans to fix the bugs. According to the researchers, the company believes that “Microsoft considers these issues to be low risk and that some of their applications, they claim, need to allow loading of unsigned libraries to support plugins. They have refused to fix the issues.”
However The register has reported that Microsoft has updated its Teams apps and OneNote to remove the feature that allowed library injection, which was at the heart of the problem.