August 19, 2024 at 03:07PM
Eight vulnerabilities in Microsoft’s macOS apps pose security risks by allowing unauthorized access to sensitive data, recording video and sound, and escalating privileges. Microsoft has been reluctant to address the issues, deeming them low risk and insisting that certain applications require the ability to load unsigned libraries. Apple’s security measures aim to safeguard against such exploits, but certain entitlements and vulnerabilities in Microsoft’s apps weaken these protections. Despite some updates to mitigate the bugs, concerns about the unnecessary vulnerability of Microsoft’s Office apps persist.
The meeting notes provided detailed information on the vulnerabilities identified by Cisco Talos in Microsoft’s macOS apps. The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, and have been assigned specific CVE numbers. Microsoft has declined to fix these vulnerabilities, considering them low risk and claiming the need to allowing loading of unsigned libraries to support plugins.
Additionally, the meeting notes highlighted the transparency, consent, and control (TCC) framework of Apple’s security model, which is permission-based and relies on entitlements. Exploiting these vulnerabilities could allow malicious actors to access sensitive data and resources, bypassing the TCC framework’s permission prompts.
Apple uses methods such as sandboxing and hardened runtime to counter these vulnerabilities, but Benvenuto from Talos mentioned that some of Microsoft’s popular apps have entitlements enabled that allow them to disable security features introduced by Apple’s hardened runtime, such as library validation.
However, it was noted that Microsoft has since updated its Teams apps and OneNote, removing the entitlement that allowed library injection, which mitigated the associated bugs. The Office apps, however, remained untouched, leaving them unnecessarily vulnerable.
Finally, it was mentioned that despite designating these vulnerabilities as low-risk and refusing to patch them, Microsoft had not provided a response to El Reg’s request for comment.
Overall, the meeting notes provided a comprehensive overview of the vulnerabilities and the response from both Talos and Microsoft regarding the identified issues.