Microsoft apps on MacOS apparently have some serious security flaws

A computer screen showing a spreadsheet in use.
(Image credit: 123RF)

A number of Microsoft productivity apps, built for the macOS operating system, are vulnerable in a way that allows hackers to steal sensitive data, record everything the user is doing on the device, record audio and video, and further escalate privileges.

This is according to a new report from cybersecurity researchers at Cisco Talos, who said the vulnerabilities they discovered revolve around the way permissions are handled on macOS. In layman’s terms, the first time an app needs access to, for example, the microphone, it will ask the user for explicit permission. After that, the access remains enabled until the user, once again, explicitly denies it.

Therefore, by hunting for apps that have already been granted extensive permissions, threat actors can run malicious operations on the target endpoint, the researchers concluded.

Microsoft app flaws

To that end, the team say they have identified eight vulnerabilities affecting six of Microsoft’s applications:

CVE-2024-42220 (Outlook)
CVE-2024-42004 (Teams – work or school) (main app)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – work or school) (WebView.app helper app)
CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)

While this may seem to be a major concern, Microsoft is under a different impression. The company told the researchers that there are too many variables, making exploiting these flaws highly unlikely.

As a result, the company has no plans to patch the flaws, stating, "Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the researchers said in the blog post.

However The Register has reported Microsoft has updated its Teams apps, and OneNote, to remove the feature that allowed library injection, which was at the very core of the issue.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.