Popular Microsoft apps for macOS are vulnerable to library injection attacks that allow attackers to leverage the applications’ permissions to bypass macOS’s strict permissions-based security model and checks.

Attackers can abuse the vulnerable apps to perform a variety of malicious actions, such as secretly sending emails from a user’s account or recording audio and video clips, without the user’s knowledge and without any user interaction.

Researchers at Cisco Talos recently discovered the problems when investigating the exploitability of Apple’s Transparency, Consent, and Control (TCC) framework for managing and enforcing privacy settings on user data and various system services on macOS systems. One of the core functions of TCC is to manage an application’s access to sensitive user data and to system features such as the camera, microphone, contacts, calendars, and location services.

Vulnerable apps

Cisco Talos researchers discovered that eight major Microsoft apps for macOS — Outlook, Teams, PowerPoint, OneNote, Excel, Word, and two other Teams-related components — allow attackers to inject a malicious library into the app’s running processes. “That library could leverage any permissions already granted to the process, effectively acting on behalf of the application itself,” Cisco Talos said in a report this week.

The issue Cisco Talos identified revolves around Microsoft’s decision to disable a library validation feature in its apps to allow third-party plugins to load. “Permissions control whether an app can access resources such as the microphone, camera, folders, screen recording, user input, and more. So if an adversary were to gain access to these resources, they could potentially leak sensitive information or, in the worst case, escalate privileges,” the researchers wrote.

Cisco Talos has issued eight separate CVEs for the disabled library validation issue in the eight Microsoft apps for macOS.

Microsoft did not immediately respond to a Dark Reading request for comment. However, according to Cisco Talos, Microsoft has characterized the issue as a low-severity threat and has said it will not release a fix for it. However, Microsoft appears to have updated the affected Teams and OneNote apps after being notified of the issue, Cisco Talos said. But four Microsoft apps for macOS — Excel, Outlook, PowerPoint and Word — remain vulnerable, the security vendor said.

Apple’s TCC Undermined

Jason Soroko, senior vice president of product at Sectigo, says Microsoft’s decision to classify the issue as low severity and choose not to release a fix is ​​potentially risky. “This approach ignores the potential damage if attackers were to exploit these vulnerabilities to gain unauthorized access to sensitive device features such as the camera or microphone,” Soroko says. “By downplaying the threat, Microsoft risks exposing the ingenuity of attackers who could use even ‘weak’ mistakes as a weapon creative and harmful ways.”

Cisco Talos itself has described the Microsoft apps as undermining the security and privacy protections of Apple’s TCC framework. Unlike most other operating systems, which rely on what’s known as Discretionary Access Control by default, TCC goes a step further by requiring apps to obtain explicit user permission when they want to access certain content and services, such as contacts, calendars, photos, and access to the microphone and camera. TCC also supports a feature that specifically protects against code and library injection into an application’s running processes.

By disabling library validation, Microsoft essentially gave attackers the ability to bypass security and sneak an arbitrary library into the app’s running processes, Cisco Talos said.

Soroko says the ease of exploiting this issue varies. “While library injection attacks require technical skills, the fact that these vulnerabilities exist in widely used applications like Teams and Outlook increases the risk profile. An attacker with sufficient knowledge could exploit these flaws, particularly in environments with lax security practices.”

He advises organizations to review and tighten app permissions and implement monitoring for unusual activity.