Cisco Talos reveals 8 vulnerabilities in Microsoft’s macOS apps, exploiting TCC framework weaknesses. Hackers can bypass security, inject malware, and access data. Updates are crucial for protection.
Cisco Talos has discovered eight vulnerabilities in Microsoft’s macOS applications, highlighting the vulnerability of the platform’s permission-based security model, the Transparency, Consent, and Control (TCC) framework.
TCC is a security policy that protects user data and system resources by requiring explicit user consent before applications can access them. However, researchers found that they could exploit vulnerabilities in Microsoft applications to bypass TCC and gain access to sensitive user data and resources without user consent.
The research, published on 19 August 2024 focuses on the vulnerability of libraries to exploit permissions or entitlements of other applications, also called library injection or Dylib Hijacking. MacOS counters this threat with features like hardened runtime, which reduces the likelihood of an attacker executing arbitrary code through another app’s process.
However, if an attacker manages to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself.
It happens because some applications, like Microsoft Teams, have certain entitlements that disable critical security features. Such as Teams has the com.apple.security.cs.disable-library-validation entitlement that allows an application to load third-party libraries without performing signature validation. This creates an opening for attackers, as they can exploit these gaps to inject malicious libraries that can inherit the permissions of the trusted application.
The attack involves hackers exploiting vulnerabilities in macOS systems to gain unauthorized access. They target known vulnerabilities, such as disabled library validation in Microsoft Teams. Once identified, they exploit the vulnerability by tricking users into opening malicious attachments or clicking on compromised links. They inject malicious libraries into the application’s process, bypassing security measures and stealing permissions.
These libraries can then elevate the attacker’s privileges, granting them access to sensitive data and system resources. In some cases, they may also implement persistence mechanisms to ensure continued access even after a system reboot.
These vulnerabilities can allow attackers to send emails, record audio clips, take pictures, or record videos without user interaction. Microsoft considers these issues low risk, but four applications reported by researchers were updated and no longer vulnerable to the scenario described.
Here is a list of vulnerabilities identified by Talos, along with their Talos IDs and associated CVEs:
| Talos ID | CVE | App name |
|---|---|---|
| TALOS-2024-1972 | CVE-2024-42220 | Microsoft Outlook |
| TALOS-2024-1973 | CVE-2024-42004 | Microsoft Teams (work or school) |
| TALOS-2024-1974 | CVE-2024-39804 | Microsoft PowerPoint |
| TALOS-2024-1975 | CVE-2024-41159 | Microsoft OneNote |
| TALOS-2024-1976 | CVE-2024-43106 | Microsoft Excel |
| TALOS-2024-1977 | CVE-2024-41165 | Microsoft Word |
| TALOS-2024-1990 | CVE-2024-41145 | Microsoft Teams (work or school) WebView.app helper app |
| TALOS-2024-1991 | CVE-2024-41138 | Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app |
Regular software updates, cautious use of unfamiliar links and attachments, reputable security solutions, and safe browsing habits can significantly reduce the risk of malware attacks exploiting vulnerabilities in Microsoft apps for macOS.
