How a major vulnerability in Microsoft's apps allowed hackers to break into Macs

A critical vulnerability in Microsoft’s apps for MacOS was discovered recently. This vulnerability allowed hackers to spy on Mac users by exploiting flaws in popular applications like Microsoft Outlook and Teams.

Security researchers from Cisco Talos, a cybersecurity division known for its focus on malware and system vulnerabilities, recently detailed how this security gap could be used by attackers to access sensitive components like a Mac’s microphone and camera without the user’s knowledge or consent.

The flaw in Microsoft’s Mac Apps
The vulnerability stems from how Microsoft apps interact with MacOS’s Transparency Consent and Control (TCC) framework, which is designed to manage app permissions.

TCC ensures that apps must request specific entitlements to access features such as the camera, microphone, or location services. Normally, apps without these entitlements cannot even ask for permission, effectively blocking unauthorised access.

However, the exploit discovered by Cisco Talos shows that malicious actors can inject harmful software into Microsoft apps, and then hijack the permissions already granted to those apps.

This means that once an attacker successfully injects their code into an app like Microsoft Teams or Outlook, they could gain access to a Mac computer’s camera and microphone, enabling them to record audio or take photos without any prompts to the user.

The researchers identified eight distinct vulnerabilities within various Microsoft applications for MacOS. These vulnerabilities allow hackers to bypass MacOS’s permission model by leveraging the entitlements that have already been granted to these apps. With this exploit, attackers can effectively spy on users without any direct interaction from the user, putting their privacy at significant risk.

Microsoft’s Response
Despite the severity of the findings, Microsoft has downplayed the risks associated with this exploit, categorising it as “low risk.” According to Microsoft, the attack depends on the use of unsigned libraries to support third-party plugins, which they view as an uncommon and unlikely scenario.

Nevertheless, in response to the reported vulnerabilities, Microsoft has rolled out updates to some of its apps, including Teams and OneNote, to address the way these applications handle library validation.

However, other widely used apps like Excel, PowerPoint, Word, and Outlook remain vulnerable, with no immediate fix in sight. This partial response has raised concerns among security experts, who question Microsoft’s decision to disable certain security measures like library validation, which were originally intended to protect users from such attacks. The researchers argue that by bypassing these safeguards, Microsoft is potentially exposing its users to unnecessary security risks.

The Need for Enhanced Security Measures
The Cisco Talos researchers also pointed out that Apple could take additional steps to strengthen MacOS’s TCC framework. One suggested improvement is for the system to prompt users whenever third-party plugins are loaded into apps that have already been granted sensitive permissions.

This would add an extra layer of security, ensuring that users are aware of any unusual or unauthorised activity.

As it stands, the combination of Microsoft’s handling of app entitlements and Apple’s current TCC framework leaves room for vulnerabilities that could be exploited by determined attackers. Both companies may need to take more proactive measures to protect users from these emerging threats, especially as the reliance on digital communication tools continues to grow.

In the meantime, Mac users are advised to remain vigilant, particularly if they use Microsoft apps on their devices, and to keep their software up to date to minimise the risk of exploitation.