Vulnerabilities in Microsoft macOS apps may give attackers access to microphone, camera
Vulnerabilities in popular Microsoft apps for macOS can be abused by attackers to record video and audio clips, take pictures, access and exfiltrate data and send emails, Cisco Talos researchers have discovered.
Library injection vulnerabilities in Microsoft apps for macOS
The flaws – CVE-2024-41138, CVE-2024-41145, CVE-2024-41159, CVE-2024-42004, CVE-2024-41165, CVE-2024-43106, CVE-2024-39804 and CVE-2024-42220 – have been found in Microsoft Teams, OneNote, Outlook, Word, Excel and Powerpoint for macOS.
They allow attackers to inject specially crafted libraries so they can assume the vulnerable apps’ entitlements and the permissions they’ve been granted by users (e.g. access to resources such as the microphone, camera, folders, screen recording, user input, etc.)
MacOS employs a security feature called Hardened Runtime to prevent dynamically linked library (DLL) hijacking, but the vulnerable apps have enabled a specific entitlement – com.apple.security.cs.disable-library-validation – that nullify that protection.
“Even though hardened runtime guards against library injection attacks and the [macOS App Sandbox] secures user data and system resources, a malware might still find ways to exploit certain applications under specific conditions,” Francesco Benvenuto, Sr. Vulnerability Researcher with Cisco Talos, explained.
“It’s important to note that not all sandboxed applications are equally susceptible. Typically, a combination of specific entitlements or vulnerabilities is required for an app to become a viable attack vector.”
Is an app potentially vulnerable to library injection? (Source: Cisco Talos)
Other apps for macOS may be vulnerable if they use the com.apple.security.cs.disable-library-validation entitlement and there’s a way to replace libraries, Benvenuto told Help Net Security, but having com.apple.security.cs.disable-library-validation by itself does not imply being vulnerable every time.
(Some) fixes
Cisco Talos has shared their findings with Microsoft, and the company has removed the specific entitlement for Teams and OneNote – that was sufficient to fix the issue for those two applications.
But they are not removing it for Outlook, Word, Excel, or PowerPoint, as they need it for some add-ins to work.
“According to Apple, this entitlement allows the loading of plug-ins signed by third-party developers. Yet, as far as we know, the only ‘plug-ins’ available to Microsoft’s macOS apps are web-based and known as ‘Office add-ins’,” Benvenuto noted.
“The vulnerable apps leave the door open for adversaries to exploit all of the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker.”