New Vulnerabilities in Microsoft macOS Apps Could Give Hackers Full Access
Eight security vulnerabilities have been discovered in Microsoft applications for macOS that could potentially be exploited by attackers to gain elevated privileges or access sensitive data. These flaws allow malicious actors to bypass the macOS permissions model, which relies on Apple’s Transparency, Consent, and Control (TCC) framework.
“If exploited successfully, the attacker could inherit any permissions already granted to the affected Microsoft apps,” said Cisco Talos. “This could allow the attacker to perform actions like sending emails from the user’s account, recording audio or video, or taking pictures — all without the user’s knowledge.”
These vulnerabilities affect several popular Microsoft applications, including Outlook, Teams, Word, Excel, PowerPoint, and OneNote.
According to the cybersecurity firm, attackers could inject malicious libraries into these applications, gaining access to their permissions and privileges. Depending on the app’s access level, this could be exploited to steal sensitive information.
The TCC framework, developed by Apple, is designed to manage access to sensitive user data on macOS, providing users with greater transparency about how their data is accessed and used by different apps. It uses an encrypted database to keep track of the permissions granted by the user to each app, ensuring consistent enforcement of these preferences across the system.
“TCC works in conjunction with the macOS and iOS application sandboxing feature,” Huntress explained. “Sandboxing limits an app’s access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have explicit user consent.”
Sandboxing also serves as a defense against code injection, where attackers insert malicious code into legitimate processes to access protected data.
“Library injection, or Dylib Hijacking in macOS, involves inserting code into an application’s running process,” said Talos researcher Francesco Benvenuto. “macOS mitigates this threat with features like hardened runtime, which reduces the chances of an attacker executing arbitrary code through another app.”
However, if an attacker manages to inject a library into a running application, that library could use all the permissions already granted to the app, effectively acting as the application itself.
It is important to note that such attacks require the attacker to have a certain level of access to the compromised machine first. They would then exploit this access to open a more privileged app and inject a malicious library, gaining all the permissions associated with the targeted app.
If a trusted app is compromised in this way, it could be used to abuse its permissions and access sensitive information without the user’s consent or awareness. This type of attack could occur when an application loads libraries from locations that an attacker can manipulate, especially if library validation is disabled (i.e., set to true), which normally restricts loading libraries only to those signed by the app’s developer or Apple.
“macOS relies on applications to self-regulate their permissions,” Benvenuto noted. “If this responsibility is not fulfilled, it can lead to a breakdown of the entire permission model, with apps unintentionally acting as proxies for unauthorized actions, bypassing TCC and compromising the system’s security.”
Microsoft has classified these issues as “low risk,” noting that the apps are required to load unsigned libraries to support plugins. However, the company has taken steps to address the vulnerabilities in its OneNote and Teams apps.
“The affected apps provide an opening for attackers to exploit all of their entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively becoming a permission broker for the attacker,” Benvenuto explained.
He added that securely handling such plugins within the current macOS framework remains a challenge. While notarization of third-party plugins could be an option, it is a complex solution that would require Microsoft or Apple to sign third-party modules after verifying their security.