Pierluigi Paganini
September 03, 2024
Cisco Talos researchers discovered eight vulnerabilities in Microsoft apps for macOS. These flaws could allow attackers to inject malicious libraries into Microsoft’s apps and steal permissions. This could enable access to sensitive resources like the microphone, camera, and screen recording, potentially leading to data leaks or privilege escalation.
The researchers analyzed the exploitability of the platform’s permission-based security model, which is based on the Transparency, Consent, and Control (TCC) framework.
“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification.” reads the advisory published by Talos. “If successful, the adversary could gain any privileges already granted to the affected Microsoft applications.”
Cisco Talos identified vulnerabilities in Microsoft macOS applications that could let attackers send emails, record audio, take pictures, or record videos without user knowledge. Despite these risks, Microsoft considers the issues low-risk and declined to fix them, stating that some apps need to allow unsigned libraries for plugin support. Talos provided a list of these vulnerabilities with corresponding Talos IDs and CVEs.
Below is the list of the vulnerabilities addressed by the company:
| Talos ID | CVE | App name |
|---|---|---|
| TALOS-2024-1972 | CVE-2024-42220 | Microsoft Outlook |
| TALOS-2024-1973 | CVE-2024-42004 | Microsoft Teams (work or school) |
| TALOS-2024-1974 | CVE-2024-39804 | Microsoft PowerPoint |
| TALOS-2024-1975 | CVE-2024-41159 | Microsoft OneNote |
| TALOS-2024-1976 | CVE-2024-43106 | Microsoft Excel |
| TALOS-2024-1977 | CVE-2024-41165 | Microsoft Word |
| TALOS-2024-1990 | CVE-2024-41145 | Microsoft Teams (work or school) WebView.app helper app |
| TALOS-2024-1991 | CVE-2024-41138 | Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app |
The Transparency, Consent, and Control (TCC) framework on macOS requires applications to get explicit user consent before accessing sensitive resources like contacts, photos, or location. TCC works with entitlements, which are capabilities that apps need to support specific functions. While developers can use a selection of entitlements, the most powerful ones are reserved for Apple’s own apps and system binaries. When an app requests access to a resource, a permission pop-up is triggered for user approval.
The researchers focused on exploiting macOS applications by injecting a malicious library to misuse the permissions or entitlements of other apps. A technique, called Dylib Hijacking, allows code to be inserted into a running app. Although macOS features like hardened runtime aim to prevent such attacks, if successful, the injected library could leverage all the permissions granted to the original application, effectively acting on its behalf.
The permissions granted by users are logged in the TCC database.
“Once the user has made their choice, any future camera-related request from the “Malevolent App” will be governed by the recorded decision in the database. This system effectively enables users to control and be informed of the privacy-sensitive actions an application intends to carry out.” continues the report. “The necessary user interaction is what enables users to prevent malicious applications from performing sensitive actions such as recording a video or taking pictures.”
The experts pointed out that the TCC model isn’t foolproof. If a trusted application with elevated permissions is compromised, it could be manipulated to abuse its permissions, enabling unauthorized actions like recording without user knowledge.
The researchers noticed that several Microsoft’s macOS applications use hardened runtime, enhancing security. However, they also rely on the risky com.apple.security.cs.disable-library-validation entitlement active. Hardened runtime protects against library injection and the use of sandbox secures data, however attackers can use a malware that can compromise specific applications assuming their entitlements and permissions. This risk arises when an application loads libraries from manipulable locations, allowing attackers to inject libraries and run arbitrary code, exploiting the application’s permissions. Not all sandboxed apps are equally vulnerable; specific entitlements or vulnerabilities increase susceptibility.
The analysis focused on two groups of Microsoft apps, the first group, “Microsoft Office apps,” includes Microsoft Word, Outlook, Excel, OneNote, and PowerPoint. These apps share common vulnerabilities. The second group, “Microsoft Teams apps,” consists of the main Microsoft Teams app, along with its helper apps: WebView.app and com.microsoft.teams2.modulehost.app. This group has distinct vulnerabilities due to its helper apps and specific features. The experts demonstrated that these apps are vulnerable and described the potential implications of these issues.
The vulnerable Microsoft apps on macOS allow attackers to exploit all the app’s entitlements and reuse permissions without any user prompts. Microsoft uses the com.apple.security.cs.disable-library-validation entitlement to support “plug-ins,” which, according to Apple, should only allow loading of third-party signed plug-ins. However, Microsoft’s macOS apps mainly use web-based “Office add-ins,” raising concerns about the need for this entitlement. The researchers warn that by disabling library validation, Microsoft may be bypassing macOS’s hardened runtime security, exposing users to unnecessary risks.
“We used Microsoft apps as a case study. Each of these applications had hardened runtime enabled, together with the com.apple.security.cs.disable-library-validation entitlement. Microsoft considers these issues low risk.” concludes the report. “Nevertheless, of the eight applications we reported, the following four were updated by Microsoft and no longer possess the com.apple.security.cs.disable-library-validation entitlement and are therefore no longer vulnerable to the scenario we described:
However, the remaining four applications remain vulnerable:
The vulnerable apps leave the door open for adversaries to exploit all of the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, NCA)
