Eight security vulnerabilities have been discovered in Microsoft applications for macOS, exposing users to potential attacks that could expose unauthorized access to sensitive data. These flaws affect popular apps such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote.
Attackers can exploit these vulnerabilities to bypass macOS’s Transparency, Consent, and Control (TCC) framework, which manages app permissions. By deploying malicious libraries into the apps, attackers inherit the permissions granted to trusted software, a technique known as Dylib hijacking. Once compromised, the apps could grant attackers access to sensitive information, allow them to send emails, or even record audio or video without the user’s knowledge.
Despite these risks, Microsoft has seemingly downplayed the severity, though some issues have been addressed in OneNote and Teams.
Why It Matters: These vulnerabilities underscore the persistent risks posed by third-party applications and their interactions with macOS’s permissions systems. The ability to hijack trusted applications’ privileges could have far-reaching security implications, especially for enterprises relying heavily on Microsoft’s productivity suite.
- TCC Framework Exploited: macOS’s TCC framework, designed to manage user permissions, can be circumvented by exploiting the vulnerabilities in Microsoft applications. This enables unauthorized access to sensitive user data without explicit consent.
- Affected Applications: The vulnerabilities span key Microsoft apps such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote, widely used across enterprise and personal environments.
- Microsoft’s Response: Microsoft acknowledged the vulnerabilities but classified them as low risk, citing that loading unsigned libraries is necessary to support plugins. However, the company has already taken steps to address the flaws in OneNote and Teams.
- Complexity of Securing Plugins: The security of third-party plugins remains a challenge, with potential solutions like notarization of plug-ins being complex and requiring further involvement from Apple or Microsoft to ensure the safety of external modules.