Microsoft 365 apps, including Teams and Office apps, have been found to be leaking sensitive permissions in macOS.
Microsoft Teams, Outlook, and a wide range of other Office apps for macOS were found to harbor vulnerabilities. These can be exploited to bypass permissions and remotely access input devices on your Mac, a Cisco Talos report found.
The report stated that as many as eight Microsoft 365 apps can be manipulated to leak permissions. That means any of the eight apps provided with access to devices such as your microphone, webcam, file systems, screen recording, and other forms of input will allow hackers to gain control over these end-points and control them discreetly without a user’s knowledge. Besides Outlook, the vulnerability affects Microsoft Word, PowerPoint, Excel, OneNote, and three different varieties of the Teams app, including its web version.
Microsoft Apps Expose Sensitive Permissions in macOS
The report identified a key loophole in Microsoft’s apps which bypasses macOS’ pre-existing techniques to prevent malware from taking control over the entire system. Apple’s macOS uses a sandboxing technique to limit any app’s access specific to the granted permissions called “entitlements,” which makes it more secure than Windows. That means apps must seek individual permissions for “privileged” resources, including the camera, microphone, and location through individual pop-up dialog boxes. While the technique allows Apple’s operating system to have greater security features, it isn’t fool-proof, simply because it relies on applications to safeguard permissions.
These measures are further reinforced by Hardened Runtime, a technique Apple employs to prevent “library injection,” which is a method used by hackers to inject malicious code in Mac apps while they are being used. However, it also allows developers to use specific entitlements to bypass restrictions in Hardened Runtime if the app doesn’t function properly. In Microsoft’s case, each of the eight reportedly vulnerable apps disables these protections, probably to avoid any issues while the running of the apps.
According to Cisco, Microsoft deems these issues “low risk,” but pushed out updates to OneNote and three variants of Teams so they no longer use the entitlement. “The remaining four applications remain vulnerable.”