Microsoft apps on MacOS apparently have some serious security flaws
Despite warnings, Microsoft says threats are not that serious
A number of Microsoft productivity apps, built for the macOS operating system, are vulnerable in a way that allows hackers to steal sensitive data, record everything the user is doing on the device, record audio and video, and further escalate privileges.
This is according to a new report from cybersecurity researchers at Cisco Talos, who said the vulnerabilities they discovered revolve around the way permissions are handled on macOS. In layman’s terms, the first time an app needs access to, for example, the microphone, it will ask the user for explicit permission. After that, the access remains enabled until the user, once again, explicitly denies it.
Therefore, by hunting for apps that have already been granted extensive permissions, threat actors can run malicious operations on the target endpoint, the researchers concluded.
Microsoft app flaws
To that end, the team say they have identified eight vulnerabilities affecting six of Microsoft’s applications:
CVE-2024-42220 (Outlook)
CVE-2024-42004 (Teams – work or school) (main app)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – work or school) (WebView.app helper app)
CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)
While this may seem to be a major concern, Microsoft is under a different impression. The company told the researchers that there are too many variables, making exploiting these flaws highly unlikely.
As a result, the company has no plans to patch the flaws, stating, "Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the researchers said in the blog post.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
However The Register has reported Microsoft has updated its Teams apps, and OneNote, to remove the feature that allowed library injection, which was at the very core of the issue.
More from TechRadar Pro
- One of Microsoft’s biggest Windows 11 updates yet brought a massive number of security flaw fixes
- Here's a list of the best firewall software around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.