Cisco Talos uncovered a total of eight flaws in Microsoft apps running on macOS that could allow an attacker to control the device’s resources without any user interaction.
The attack involves injecting malicious code into Microsoft apps to gain entitlements and permissions.
Apple macOS has a multi-layered security model for apps, restricting the assets they can access and requiring user consent to use resources and data.
Basic protection is afforded by Discretionary Access Control (DAC), on top of which Apple layers Transparency, Consent and Control (TCC) which protects against against privacy breaches and malicious software. TCC governs how applications can access sensitive user data and system resources, requiring applications to obtain explicit user consent before accessing protected resources such as contacts, calendars, photos and location information. Users can grant or deny access to the app.
TCC also works with “entitlements”, which are capabilities required for an app’s functionality. Developers choose these entitlements from a selection provided by Apple. Entitlements ensure that apps only have access to the resources they need, such as location services, camera or microphone. When an app with specific entitlements requests access to a protected resource, a permission pop-up appears, asking the user for their consent.
The eight vulnerabilities in Microsoft apps for macOS identified by Cisco Talos could allow an attacker to bypass this layered security system by injecting malicious code, giving them permissions to access data and resources without requiring any interaction from the user.
“Despite its strength, the macOS security model isn’t foolproof,” researcher Francesco Benvenuto wrote in a blog post. “Elevated permissions given to applications could be hijacked, potentially turning these apps into conduits for unauthorised access to sensitive resources.”
Microsoft considers this threat to be “low risk” because it requires the loading of unsigned libraries or plugins. Nevertheless, it has patched Teams and OneNote to prevent such an attack, changing the way those apps handle library validation entitlement; but Excel, PowerPoint, Word and Outlook are still vulnerable.
Benvenuto said Microsoft’s implementation of entitlements circumvents some of Apple’s safeguards concerning third-party code, and suggested that Apple could strengthen these protections to prevent this.
Commenting on the issue, Michael Covington, VP of strategy at security vendor Jamf, said that the self-policing model granted to third-party apps over some aspects of security are a chink in Apple’s armour.
“Microsoft’s apps were found to disable checks on third-party libraries being loaded,” he said.
“This is a noteworthy flaw in apps that naturally require permissions to Apple’s controlled resources, like the camera or microphone, because users are inclined to grant such permissions to collaboration tools like Microsoft Teams or logging tools like OneNote. Fortunately, Microsoft agreed to update these applications.
“It is worth nothing that some apps, such as Microsoft Word, Excel, Outlook and PowerPoint, will not receive the fix and continue to be susceptible to attacks. The reality is that vigilant users are unlikely to grant sensitive permissions to these productivity tools, so the risk is low. The question remains, however, why the lower risk is worth the confusion this causes users.”
Wanda Parisien is a computing expert who navigates the vast landscape of hardware and software. With a focus on computer technology, software development, and industry trends, Wanda delivers informative content, tutorials, and analyses to keep readers updated on the latest in the world of computing.
