Cisco Talos has identified serious vulnerabilities in Microsoft 365 applications on macOS. These flaws can be exploited to bypass macOS permissions, enabling unauthorized actions like sending emails, recording audio, and capturing videos without user consent. The Microsoft products affected include Outlook, Microsoft Teams, PowerPoint, OneNote, Excel, and Word.
Technical Analysis and Implications
These vulnerabilities stem from code injection techniques, which involve inserting malicious code into legitimate processes to gain access to protected resources. Although macOS uses security features like Hardened Runtime to prevent code injections, Microsoft's macOS applications override these protections. By enabling the com.apple.security.cs.disable-library-validation entitlement, these apps allow the loading of unsigned libraries, resulting in security flaws.
While Microsoft acknowledges these vulnerabilities, it classifies them as low risk. The company has addressed the issues in the Teams (work or school) app, Teams Web, and OneNote, which don't support plugins. However, Excel, Outlook, PowerPoint, and Word are still vulnerable.
Microsoft prioritizes plugin functionality, complicating potential mitigations such as the notarization of third-party plugins. Microsoft stresses that sandboxing, which limits app access to data and resources, is required for apps on the Mac App Store. Sandboxing ensures that apps can only access resources through explicitly requested entitlements, protected by user consent.
Vulnerability Details and Exploitability
The vulnerabilities were discovered through a detailed analysis of macOS applications and the exploitability of macOS's permission-based security model, particularly the Transparency, Consent, and Control (TCC) framework. These vulnerabilities enable attackers to exploit existing app permissions without additional user verification.
The discovered vulnerabilities have been assigned Talos IDs and CVEs, including TALOS-2024-1972 (CVE-2024-42220) for Microsoft Outlook and TALOS-2024-1973 (CVE-2024-42004) for Microsoft Teams (work or school).
Apple's TCC framework mandates that applications get explicit user consent before accessing protected resources. The research highlights that Microsoft's macOS applications have the com.apple.security.cs.disable-library-validation entitlement enabled, which can be problematic. This entitlement allows the loading of unsigned libraries, potentially facilitating code injection attacks.