New Vulnerabilities Discovered in Microsoft Applications for macOS
Eight critical vulnerabilities have been uncovered in multiple Microsoft applications for macOS, posing a serious threat as they may allow attackers to escalate privileges or access sensitive data. These flaws could be exploited to circumvent macOS’s permissions-based model, which is governed by Apple’s Transparency, Consent, and Control (TCC) framework. The TCC framework is designed to manage and safeguard user data by controlling how applications access sensitive information. However, these vulnerabilities, found in popular Microsoft apps such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote, could be manipulated to bypass these protections. Attackers could inject malicious libraries into these applications, gaining their permissions and entitlements. This would allow unauthorized actions such as sending emails, recording audio, taking photos, or accessing sensitive information without the user’s knowledge or consent. The threat lies in the ability of attackers to exploit these apps to operate with elevated privileges, effectively breaking through the security barriers intended by the TCC framework.
Understanding the TCC Framework
TCC is a framework developed by Apple to regulate access to sensitive user data on macOS. It ensures transparency and control over how data is accessed and used by different applications installed on a user’s machine. The framework maintains an encrypted database that records the permissions granted by users to each application, ensuring these preferences are consistently enforced across the system.
TCC works in tandem with the macOS application sandboxing feature. Sandboxing restricts an application’s access to the system and other apps, adding an additional layer of security. Together, TCC and sandboxing help safeguard user data from unauthorized access.
Vulnerabilities in Microsoft Applications
The vulnerabilities span several Microsoft applications, including Outlook, Teams, Word, Excel, PowerPoint, and OneNote. According to a report by Cisco Talos, these flaws could be exploited by injecting malicious libraries into the applications, allowing attackers to gain the entitlements and user-granted permissions associated with these apps. Once compromised, these permissions could be weaponized to extract sensitive information, depending on the level of access granted to each application.
The Threat of Library Injection
One of the key techniques that could be exploited is library injection, also known as Dylib Hijacking in the context of macOS. This technique involves inserting malicious code into the running process of an application. While macOS employs several countermeasures against this threat—such as hardened runtime, which reduces the likelihood of executing arbitrary code through another app’s process—these measures are not foolproof.
Security researcher Francesco Benvenuto from Talos noted that if an attacker manages to inject a library into the process space of a running application, that library could exploit all the permissions already granted to the process. In effect, the malicious library would operate on behalf of the legitimate application, executing actions without the user’s consent or knowledge.
Exploitation and Impact
For an attacker to exploit these vulnerabilities, they must already have a certain level of access to the compromised host. Once they achieve this, they could open a more privileged application and inject a malicious library, thereby gaining access to all the permissions associated with the compromised app.
In a scenario where a trusted application is infiltrated, the attacker could leverage the application’s permissions to gain unauthorized access to sensitive information. This breach could occur when an application loads libraries from locations that the attacker can manipulate, particularly if the application has disabled library validation—a risky entitlement that, when enabled, limits the loading of libraries to those signed by the application’s developer or Apple.
Benvenuto highlighted that macOS relies on applications to self-police their permissions. A failure in this responsibility could lead to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, thereby circumventing TCC and compromising the system’s security model.
Microsoft’s Response
Microsoft has categorized the identified issues as “low risk,” citing that the affected applications need to load unsigned libraries to support plugins. Despite this, Microsoft has taken steps to address the problem in its OneNote and Teams applications.
Benvenuto emphasized that the vulnerabilities could leave the door open for adversaries to exploit all of an application’s entitlements. Without any user prompts, attackers could reuse all the permissions already granted to the application, effectively turning the app into a permission broker for unauthorized actions.
Challenges in Mitigating the Threat
The vulnerabilities raise important questions about securely handling plugins within macOS’s current framework. While notarization of third-party plugins is a possible solution, it is complex and would require either Microsoft or Apple to sign third-party modules after verifying their security.
These newly discovered vulnerabilities underscore the importance of vigilance and continuous improvement in security practices, especially for widely used applications like those offered by Microsoft.
Remediation Steps
- Update Applications: Ensure all Microsoft applications on macOS are updated to the latest versions where Microsoft has provided patches, specifically for OneNote and Teams.
- Enable Library Validation: Re-enable library validation in affected applications to restrict the loading of unsigned libraries.
- Enhance Plugin Security: Implement stricter controls or use notarized plugins to minimize the risk associated with loading third-party modules.
- Monitor Application Permissions: Regularly audit and review the permissions granted to applications to ensure they align with current security policies.
- Restrict Application Access: Limit the access level of applications by using macOS’s built-in controls, ensuring they only access data necessary for their functionality.
- Implement Sandboxing Enhancements: Strengthen application sandboxing to reduce the potential impact of library injection attacks.