Microsoft Teams may have downplayed a disastrous security issue

Microsoft Teams
(Image credit: Shutterstock / Ink Drop)

Microsoft has been accused of downplaying the severity of a security issue found in its collaboration platform Teams, which was remedied quietly back in October.

According to a report from security engineer Oskars Vegeris, the company failed to warn users of the problem and neither did it seek Common Vulnerabilities and Exposures (CVE) classification, on the grounds that Teams patches are installed automatically.

Roughly one month after disclosure, the cross-site scripting (XSS) vulnerability was classified by Microsoft as “Important, Spoofing”, which Vegeris describes as “one of the lowest in-scope ratings possible”.

However, the scope of potential attacks and the opportunity to access various different areas of the infected network means it demands a much higher threat rating, claims Vegeris.

Microsoft Teams vulnerability

This particular Microsoft Teams vulnerability, according to the researcher, could open the door to “zero click, wormable, cross-platform remote code execution.”

Broken down for the layman, this means the attack does not hinge on a mistake on the part of the victim (such as clicking on a dangerous link), infection can pass between one computer to the next  and the exploit allows the hacker to run malicious code on infected machines at will.

As Vegeris describes, an attacker could send or edit a message that looks identical to any other. When the relevant chat log is opened, the code is launched on the victim’s machine. 

“That’s it. There is no further interaction from the victim. Now your company’s internal network, personal documents, O365 documents/mail/notes, secret chats are fully compromised,” wrote Vegeris.

“Think about it. One message, one channel, no interaction. Everyone gets exploited.”

According to the report, the exploit could also have allowed attackers to steal Office 365 SSO tokens (giving them access to corporate email logs, documents etc.), escalate their administrative privileges and gain access to the cameras and microphones of infected devices.

Further, if an organization invited guest entities into their Teams network (often clients or customers), infection could also in theory hop between businesses.

“At least now we have a new joke between colleagues - whenever we get a remote code execution bug, we call it ‘Important, Spoofing’. Thanks Microsoft,” joked Vegeris.

Microsoft did not immediately respond to our request for comment.

Update:

A Microsoft spokesperson has since provided the following statement, though offered no further comment on whether the severity of the bug was originally understated:

"We mitigated the issue with an update in October, which has automatically deployed and protected customers."

Via The Register

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.

Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does