• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

 | 

Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

 | 

Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

 | 

Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

 | 

Koske, a new AI-Generated Linux malware appears in the threat landscape

 | 

Mitel patches critical MiVoice MX-ONE Auth bypass flaw

 | 

Coyote malware is first-ever malware abusing Windows UI Automation

 | 

SonicWall fixed critical flaw in SMA 100 devices exploited in Overstep malware attacks

 | 

DSPM & AI Are Booming: $17.87B and $4.8T Markets by 2033

 | 

Stealth backdoor found in WordPress mu-Plugins folder

 | 

U.S. CISA adds CrushFTP, Google Chromium, and SysAid flaws to its Known Exploited Vulnerabilities catalog

 | 

U.S. CISA urges FCEB agencies to fix two Microsoft SharePoint flaws immediately and added them to its Known Exploited Vulnerabilities catalog

 | 

Sophos fixed two critical Sophos Firewall vulnerabilities

 | 

French Authorities confirm XSS.is admin arrested in Ukraine

 | 

Microsoft linked attacks on SharePoint flaws to China-nexus actors

 | 

Cisco confirms active exploitation of ISE and ISE-PIC flaws

 | 

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Security
  • Vulnerabilities in Microsoft apps for macOS allow stealing permissions

Vulnerabilities in Microsoft apps for macOS allow stealing permissions

Pierluigi Paganini September 03, 2024

Vulnerabilities in Microsoft apps for macOS could allow attackers to steal permissions and access sensitive data.

Cisco Talos researchers discovered eight vulnerabilities in Microsoft apps for macOS. These flaws could allow attackers to inject malicious libraries into Microsoft’s apps and steal permissions. This could enable access to sensitive resources like the microphone, camera, and screen recording, potentially leading to data leaks or privilege escalation.

The researchers analyzed the exploitability of the platform’s permission-based security model, which is based on the Transparency, Consent, and Control (TCC) framework.

“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification.” reads the advisory published by Talos. “If successful, the adversary could gain any privileges already granted to the affected Microsoft applications.”

Cisco Talos identified vulnerabilities in Microsoft macOS applications that could let attackers send emails, record audio, take pictures, or record videos without user knowledge. Despite these risks, Microsoft considers the issues low-risk and declined to fix them, stating that some apps need to allow unsigned libraries for plugin support. Talos provided a list of these vulnerabilities with corresponding Talos IDs and CVEs.

Below is the list of the vulnerabilities addressed by the company:

Talos IDCVEApp name
TALOS-2024-1972CVE-2024-42220Microsoft Outlook
TALOS-2024-1973CVE-2024-42004Microsoft Teams (work or school)
TALOS-2024-1974CVE-2024-39804Microsoft PowerPoint
TALOS-2024-1975CVE-2024-41159Microsoft OneNote
TALOS-2024-1976CVE-2024-43106Microsoft Excel
TALOS-2024-1977CVE-2024-41165Microsoft Word
TALOS-2024-1990CVE-2024-41145Microsoft Teams (work or school) WebView.app helper app
TALOS-2024-1991CVE-2024-41138Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app

Despite these risks, Microsoft downplayed the severity of the issue and will not address them because the exploitation needs some apps allowing unsigned libraries for plugin support.

The Transparency, Consent, and Control (TCC) framework on macOS requires applications to get explicit user consent before accessing sensitive resources like contacts, photos, or location. TCC works with entitlements, which are capabilities that apps need to support specific functions. While developers can use a selection of entitlements, the most powerful ones are reserved for Apple’s own apps and system binaries. When an app requests access to a resource, a permission pop-up is triggered for user approval.

The researchers focused on exploiting macOS applications by injecting a malicious library to misuse the permissions or entitlements of other apps. A technique, called Dylib Hijacking, allows code to be inserted into a running app. Although macOS features like hardened runtime aim to prevent such attacks, if successful, the injected library could leverage all the permissions granted to the original application, effectively acting on its behalf.

The permissions granted by users are logged in the TCC database.

“Once the user has made their choice, any future camera-related request from the “Malevolent App” will be governed by the recorded decision in the database. This system effectively enables users to control and be informed of the privacy-sensitive actions an application intends to carry out.” continues the report. “The necessary user interaction is what enables users to prevent malicious applications from performing sensitive actions such as recording a video or taking pictures.”

The experts pointed out that the TCC model isn’t foolproof. If a trusted application with elevated permissions is compromised, it could be manipulated to abuse its permissions, enabling unauthorized actions like recording without user knowledge.

The researchers noticed that several Microsoft’s macOS applications use hardened runtime, enhancing security. However, they also rely on the risky com.apple.security.cs.disable-library-validation entitlement active. Hardened runtime protects against library injection and the use of sandbox secures data, however attackers can use a malware that can compromise specific applications assuming their entitlements and permissions. This risk arises when an application loads libraries from manipulable locations, allowing attackers to inject libraries and run arbitrary code, exploiting the application’s permissions. Not all sandboxed apps are equally vulnerable; specific entitlements or vulnerabilities increase susceptibility.

The analysis focused on two groups of Microsoft apps, the first group, “Microsoft Office apps,” includes Microsoft Word, Outlook, Excel, OneNote, and PowerPoint. These apps share common vulnerabilities. The second group, “Microsoft Teams apps,” consists of the main Microsoft Teams app, along with its helper apps: WebView.app and com.microsoft.teams2.modulehost.app. This group has distinct vulnerabilities due to its helper apps and specific features. The experts demonstrated that these apps are vulnerable and described the potential implications of these issues.

The vulnerable Microsoft apps on macOS allow attackers to exploit all the app’s entitlements and reuse permissions without any user prompts. Microsoft uses the com.apple.security.cs.disable-library-validation entitlement to support “plug-ins,” which, according to Apple, should only allow loading of third-party signed plug-ins. However, Microsoft’s macOS apps mainly use web-based “Office add-ins,” raising concerns about the need for this entitlement. The researchers warn that by disabling library validation, Microsoft may be bypassing macOS’s hardened runtime security, exposing users to unnecessary risks.

“We used Microsoft apps as a case study. Each of these applications had hardened runtime enabled, together with the com.apple.security.cs.disable-library-validation entitlement. Microsoft considers these issues low risk.” concludes the report. “Nevertheless, of the eight applications we reported, the following four were updated by Microsoft and no longer possess the com.apple.security.cs.disable-library-validation entitlement and are therefore no longer vulnerable to the scenario we described:

  • Microsoft Teams (work or school) the main app
  • Microsoft Teams (work or school) WebView.app
  • Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app, now renamed Microsoft Teams ModuleHost.app
  • Microsoft OneNote

However, the remaining four applications remain vulnerable:

  • Microsoft Excel
  • Microsoft Outlook
  • Microsoft PowerPoint
  • Microsoft Word

The vulnerable apps leave the door open for adversaries to exploit all of the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, NCA)


facebook linkedin twitter

Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 26, 2025
Law enforcement operations seized BlackSuit ransomware gang’s darknet sites
Read more
Pierluigi Paganini July 26, 2025
Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Law enforcement operations seized BlackSuit ransomware gang’s darknet sites

    Cyber Crime / July 26, 2025

    Arizona woman sentenced for aiding North Korea in U.S. IT job fraud scheme

    Intelligence / July 26, 2025

    Operation CargoTalon targets Russia’s aerospace with EAGLET malware,

    Intelligence / July 25, 2025

    Unpatched flaw in EoL LG LNV5110R cameras lets hackers gain Admin access

    Security / July 25, 2025

    Koske, a new AI-Generated Linux malware appears in the threat landscape

    Malware / July 25, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT