HomeWinBuzzer NewsMicrosoft Declines Fixes for macOS App Vulnerabilities

Microsoft Declines Fixes for macOS App Vulnerabilities

Microsoft apps on macOS found to have security holes that could let hackers access data and records.

-

Network security research team Cisco Talos has discovered eight vulnerabilities in Microsoft applications running on macOS. The security flaws provide potential attackers with the means to access user data, record systems, and escalate privileges. Microsoft has acknowledged these issues but elected not to patch them, deeming the risks as minimal.

Details on Vulnerable Applications

The vulnerabilities span several Microsoft apps, including Excel, Word, PowerPoint, Outlook, OneNote, and Teams. Specific identified vulnerabilities include:

Despite the potential severity, Microsoft’s response, as noted by security engineer Francesco Benvenuto, is that these issues are low-risk. The company reasons that the need to load unsigned libraries to support plugins justifies their decision not to issue fixes.

macOS Security Model and User Permissions

Apple’s security architecture for macOS is based on the Transparency, Consent, and Control (TCC) framework, which compels apps to gain user consent to access sensitive data like contacts and camera. Developers must have specific entitlements for their apps, which in turn trigger user permission requests.

Once users grant permissions, they persist unless manually modified. That could be problematic if an already-permitted app is compromised, potentially allowing malicious code to utilize these privileges.

Apple employs sandboxing and hardened runtime to limit app capabilities and prevent execution of unauthorized code. However, some Microsoft apps on macOS disable these safeguards, increasing susceptibility to exploits that rely on injecting malicious libraries.

Cisco Talos’s Vulnerability Analysis

Cisco Talos’s inspection into macOS permissions revealed that an attacker could exploit these vulnerabilities to inject malicious libraries into Microsoft apps to inherit their capabilities and permissions. Such an exploit could allow attackers to send emails, record multimedia, or access protected resources undetected.

Discretionary Access Control (DAC), used by most operating systems, offers limited defense against compromised software running under user privileges. Microsoft has mitigated these risks in four of the eight affected apps by removing the com.apple.security.cs.disable-library-validation entitlement, effectively reducing their vulnerability.

These updated applications include:

  • Microsoft Teams (main app)
  • Microsoft Teams WebView
  • Microsoft Teams ModuleHost
  • Microsoft OneNote

Nevertheless, vulnerabilities persist in Excel, Outlook, PowerPoint, and Word. These apps continue to possess the com.apple.security.cs.disable-library-validation entitlement, exposing them to potential exploits.

Last Updated on November 7, 2024 3:12 pm CET

Luke Jones
Luke Jones
Luke has been writing about Microsoft and the wider tech industry for over 10 years. With a degree in creative and professional writing, Luke looks for the interesting spin when covering AI, Windows, Xbox, and more.

Recent News

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
Mastodon