Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Cisco Talos says eight vulnerabilities in Microsoft's macOS apps could be abused by nefarious types to record video and sound from a user's device, access sensitive data, log user input, and escalate privileges.

The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos it won't be fixing them. All eight can be seen below:

• CVE-2024-42220 (Outlook)

• CVE-2024-42004 (Teams – work or school) (main app)

• CVE-2024-39804 (PowerPoint)

• CVE-2024-41159 (OneNote)

• CVE-2024-43106 (Excel)

• CVE-2024-41165 (Word)

• CVE-2024-41145 (Teams – work or school) (WebView.app helper app)

• CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)

"Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues," said Francesco Benvenuto, senior security research engineer at Talos.

Apple's security model is permission-based and relies on the transparency, consent, and control (TCC) framework. For users familiar with macOS, it's what's responsible for requesting your permission to run new apps, and displays prompts when those apps want to access sensitive stores such as contacts, photos, webcams, etc.

TCC works with what Apple calls entitlements, of which only a few are available to software makers, and developers choose what entitlements they need to have enabled.

So, if they know their app has a feature that requires the device's microphone, they enable that entitlement. Once it's enabled, macOS notices it needs to ask the user if that's OK, and delivers a prompt to get their explicit consent.

The whole idea behind Talos's work here is that once these entitlements, permissions – whatever you want to call them – are set by the user, they stay set unless manually changed in macOS's system settings.

If an attacker can take advantage of the apps that have already been granted permission to do the things they want to, they no longer have to trick a target into running a shady program; they can just exploit Word instead, for example, and inject some code into Word's processes so they can access protected resources.

Apple counters this with a few methods. Sandboxed apps is one. Every macOS app downloaded from the App Store is sandboxed and these can only access the resources the devs specified through entitlements.

• Google gamed into advertising a malicious version of Authenticator
• Five months after takedown, LockBit is a shadow of its former self
• Secure Boot useless on hundreds of PCs from major vendors after key leak
• You had a year to patch this Veeam flaw – and now it's going to hurt some more

Hardened runtime is another protection that works alongside sandboxed apps. It's responsible for stopping malicious libraries from being run, other than those specified by the devs or Apple itself, and attackers from executing code via trusted apps.

Benvenuto said that some of Microsoft's most popular apps have entitlements enabled that allow them to disable security features introduced by Apple's hardened runtime, such as library validation.

"Even though hardened runtime guards against library injection attacks and the sandbox secures user data and system resources, malware might still find ways to exploit certain applications under specific conditions," the researcher said. 

"If successful, this would allow the attacker to assume the application's entitlements and permissions. It's important to note that not all sandboxed applications are equally susceptible. Typically, a combination of specific entitlements or vulnerabilities is required for an app to become a viable attack vector.

"The vulnerabilities we're addressing are relevant when an application loads libraries from locations an attacker could potentially manipulate. If the application has the com.apple.security.cs.disable-library-validation entitlement, it allows an attacker to inject any library and run arbitrary code within the compromised application. As a result, the attacker could exploit the application's full set of permissions and entitlements."

All the Microsoft apps in question are protected by hardened runtime and also disable library validation through entitlements, effectively disabling protection against malicious library injection, Benvenuto argued.

He also highlighted that the only plugins available to Microsoft's macOS apps are Office add-ins, meaning there is no apparent reason to open their apps to running plugins from third parties, as they did through the entitlements.

The researcher didn't go as far as to provide a working exploit of how the issue could be abused in real-world attacks. The investigation instead served more as reminder of the ways in which software vendors ship apps to macOS that might not be as secure as the user would believe. We asked Talos for a bit more on this and will update if they offer more information.

Despite designating these vulnerabilities low-risk status and refusing to patch them, Microsoft has since updated its Teams apps, and OneNote, removing the entitlement that allowed library injection, essentially mitigating the bugs.

The Office apps were left untouched, though, and to Benvenuto remain unnecessarily vulnerable.

El Reg approached Microsoft for a response, but there was no immediate reply. ®