A significant flaw in Microsoft's macOS apps has been discovered, allowing hackers to access microphones and cameras on Mac computers without users' permission.
The vulnerability was disclosed by cybersecurity team Cisco Talos, which outlined in a blog post the details of how this vulnerability could be exploited by attackers and the steps Microsoft is taking to mitigate the issue.
Vulnerable applications include Microsoft Outlook, Teams, and other Microsoft products for macOS.
Affected Microsoft Applications and Outage Severity
The flaw allows hackers to use a technique known as library injection to hijack permissions already granted to these applications, allowing them to gain unauthorized access to critical resources such as the microphone and camera.
In macOS, Apple uses the Transparency Consent and Control (TCC) system to manage access permissions to sensitive device features, such as the camera and microphone.
This system typically requires apps to obtain explicit user consent to access these resources. However, the newly discovered flaw allows malicious software to bypass these restrictions by exploiting permissions previously granted to legitimate Microsoft apps.
Technical Details of the Vulnerability
Cisco Talos has identified a total of eight vulnerabilities in Microsoft applications for macOS, each of which allows attackers to bypass the operating system's security permissions.
This paves the way for access to features such as audio recording and image capture, without the user being notified or needing to grant new permission.
The problem is particularly worrying because it affects a range of applications widely used in the corporate environment, where information security is crucial.
In addition to Microsoft Teams and Outlook, other applications in the Microsoft Office suite, such as Word and PowerPoint, are also vulnerable. Interestingly, Excel, despite being part of the same suite, was not identified as vulnerable to this specific vulnerability.
You need to know this today:
- URGENT! “BIA scam” targets victims on banking app
- used cell phone: “how I sold mine and made a LOT of money online”
- Burnout and Cell Phones: How Using the Device Is Related to Illness Even on Break
Microsoft Response and Corrective Measures
Microsoft has already begun the process of patching the flaw, although a complete resolution of the issue does not appear to be an immediate priority for the company. According to Cisco Talos, Microsoft classifies the risk as low because the vulnerability involves the use of unsigned libraries that support third-party plug-ins.
After being alerted to the issue, Microsoft updated the Teams and OneNote apps for macOS, adjusting how these software handle library validation.
However, other Microsoft applications such as Excel, PowerPoint, Word and Outlook remain vulnerable.
The lack of a comprehensive fix raises concerns among security experts, who question why Microsoft removed library validation in the first place, especially when there is no need to load additional libraries for these applications.
Safety Recommendations and Suggestions for Improvement
Cisco Talos researchers suggest that in addition to Microsoft's actions, Apple could also take a more active role in improving TCC security.
One suggestion is that the macOS operating system alert users when third-party plug-ins are loaded into apps that already have permissions granted. This would increase transparency and allow users to make more informed decisions about the security of their devices.
This incident underscores the importance of continued vigilance over application security, especially in corporate environments where confidentiality and integrity of information are essential.
The flaw discovered in Microsoft's macOS apps exposes the risks that can arise when security breaches are not addressed immediately and effectively.
Collaboration between major technology companies like Microsoft and Apple and independent security teams like Cisco Talos is crucial to ensuring that vulnerabilities are identified and fixed quickly.
However, slow or partial response by the companies involved could leave users exposed to significant risks, undermining trust in widely used products.
