Researchers at Cisco Talos have uncovered serious vulnerabilities in Microsoft applications for the macOS operating system that could allow attackers to misuse permissions.
The vulnerabilities can be exploited by injecting malicious libraries into Microsoft applications to gain entitlements and user-granted permissions.
These permissions control whether an app can access resources such as the microphone, camera, folders, screen recording, user input and more, allowing attackers to spy on the user or steal sensitive information.
"We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” researchers said.
“If successful, the adversary could gain any privileges already granted to the affected Microsoft applications. Microsoft considers these issues low risk, and some of their applications need to allow loading of unsigned libraries to support plugins and have declined to fix the issues."
Apple's macOS features a layered security model, including Transparency Consent and Control (TCC) – a framework developed by Apple to manage access to personal data and system privileges, requiring explicit user approval before granting access.
However, this isn’t foolproof, researchers warned. It depends on applications responsibly handling the permissions they receive. If a trusted application is compromised, it could be manipulated to abuse its permissions, allowing attackers to perform actions without user knowledge.
"For instance, if a video chat app with camera and microphone access is exploited, it could be forced to record without alerting the user," Cisco Talos said.
"This situation points to a key aspect: macOS trusts applications to self-police their permissions. A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system's security model."
As an example, Cisco Talos used Microsoft apps, each of which had hardened runtime enabled, together with the ‘com.apple.security.cs.disable-library-validation’ entitlement.
RELATED WHITEPAPER
Of the eight applications it reported, four were updated by Microsoft and no longer possess the 'com.apple.security.cs.disable-library-validation' entitlement.
These included: Microsoft Teams, WebView.app (Microsoft Teams helper), com.microsoft.teams2.modulehost.app helper, now renamed Microsoft Teams ModuleHost.app, and Microsoft OneNote.
However, Microsoft Excel, Outlook, PowerPoint, and Word all remain vulnerable.
Microsoft appears to use the ‘com.apple.security.cs.disable-library-validation’ entitlement for certain apps to support certain plug-ins. According to Apple, this allows the loading of plug-ins signed by third-party developers.
Despite this, the only plug-ins available to Microsoft's macOS apps appear to be web-based and known as Office add-ins.
"If this understanding is correct, it raises questions about the necessity of disabling library validation, especially if no additional libraries are expected to be loaded. By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks," Cisco Talos said.
"It's also important to mention that it’s unclear how to securely handle such plug-ins within macOS' current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security."
The company recommends Apple should introduce a user prompt, similar to the resource permissions in TCC, enabling users to decide whether to load a specific third-party plug-in.
This, it said, would provide a more controlled means of granting access without broadly compromising security.
-
Cisco takes aim at AI security at RSAC with ServiceNow partnershipNews The companies claim Cisco AI Defense and ServiceNow SecOps will help address new challenges raised by AI
-
Why veterans can excel in data centers – and could help the IT sector address its skill shortagesIn-depth Ex-military workers can bring software and hardware to civilian roles
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptakeNews Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to knowNews A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Microsoft is increasing payouts for its Copilot bug bounty programNews Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
-
Hackers are using this new phishing technique to bypass MFANews Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFANews Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
-
Hackers are using Microsoft Teams to conduct “email bombing” attacksNews Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
