Multiple Microsoft Apps for macOS Vulnerable to Library Injection Attacks

UPDATE

Widely used Microsoft apps for macOS are vulnerable to library injection attacks that let adversaries use the applications' entitlements to bypass macOS's strict permission-based security model and controls.

Attackers can abuse the vulnerable apps to execute a variety of malicious actions — like surreptitiously sending emails from a user's account or recording audio and video clips — without the user's knowledge and without the need for any user interaction.

Researchers from Cisco Talos recently discovered the issues when researching the exploitability of Apple's Transparency, Consent and Control (TCC) framework for managing and enforcing privacy settings on user data and various system services on macOS systems. One of TCC's core functions is controlling an application's access to sensitive user data and to system features like the camera, microphone, contacts, calendars, and location services.

Vulnerable Apps

Cisco Talos researchers found eight major Microsoft apps for macOS — Outlook, Teams, PowerPoint, OneNote, Excel, Word, and two other Teams-related components — allow attackers to inject a malicious library into the app's running processes. "That library could use all the permissions already granted to the process, effectively operating on behalf of the application itself," Cisco Talos said in a report this week.

The issue identified by Cisco Talos has to do with Microsoft's decision to disable a library validation feature in the apps so as to allow the loading of third-party plug-ins. "Permissions regulate whether an app can access resources such as the microphone, camera, folders, screen recording, user input, and more. So, if an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges," the researchers said.

Francesco Benvenuto, vulnerability researcher with Cisco Talos, says organizations cannot enable library validation at their end even if they want to. "Microsoft says it is required for add-ins to work, but Talos has been unable to get clarification for which those are. The add-ins we found were all written in HTML5 which wouldn't require them to disable this entitlement," he says.

According to Cisco Talos, Microsoft has characterized the issue as a low-severity threat and has said it will not issue any fix for them. Even so, Microsoft does appear to have updated the affected Teams and OneNote apps after being notified of the problem, Cisco Talos said. But four Microsoft apps for macOS — Excel, Outlook, PowerPoint, and Word remain vulnerable — the security vendor said.

In an emailed statement, a Microsoft spokesperson downplayed the severity of the issue identified by Talos. "The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system," the statement said. "However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions."

Apple's TCC Undermined

Benvenuto says an attacker would need to run with the user’s privileges, either through a shell or through a malicious application. "Inserting into these processes is relatively easy. The attacker can copy the binary to a writable location, for example /tmp, and insert their own library."

Jason Soroko, senior vice president of product at Sectigo, says Microsoft's decision to classify the issue as low-severity and opt not to issue a fix is potentially risky. "This approach overlooks the harm if attackers exploit these vulnerabilities to gain unauthorized access to sensitive device features like the camera or microphone," Soroko says. "By downplaying the threat, Microsoft risks underestimating the ingenuity of attackers who could weaponize even 'low severity' flaws in creative and damaging ways."

Cisco Talos itself has described the Microsoft apps as undermining the security and privacy protection of Apple's TCC framework. Unlike most other operating systems that rely by default on what is known as Discretionary Access Control, TCC goes a step further in requiring apps to obtain explicit user permission when seeking to access certain content and services such as contacts, calendars, photos, and access to the microphone and camera. TCC also supports a feature that protects specifically against code and library injection into an application's running processes.

By disabling library validation, Microsoft has essentially given an opening for attackers to do an end run around the protections and sneak an arbitrary library into the app's running processes, Cisco Talos said.

Soroko says the ease of exploiting this issue varies. "While library injection attacks require technical skill, the fact that these vulnerabilities exist in widely used applications like Teams and Outlook increases the risk profile. An attacker with sufficient knowledge could exploit these flaws, particularly in environments with relaxed security practices."

He recommends that organizations review and tighten app permissions and implement monitoring for unusual activity.

This story was updated at 1:26pm ET to include additional detail from Cisco Talos and again at 2:55pm ET to reflect comments from Microsoft.