Eight security vulnerabilities have been identified in Microsoft applications for macOS that could be exploited by attackers to gain elevated privileges or access sensitive data. These flaws allow adversaries to bypass the operating system’s permissions model, which is built around Apple’s Transparency, Consent, and Control (TCC) framework.
“If successful, an attacker could inherit all privileges granted to the affected Microsoft applications,” Cisco Talos reported. “This could enable actions like sending emails from the user’s account, recording audio, capturing photos or videos, all without the user’s awareness or interaction.”
The vulnerabilities affect a range of applications, including Outlook, Teams, Word, Excel, PowerPoint, and OneNote.
The cybersecurity firm noted that malicious libraries could be injected into these applications, allowing them to inherit the apps’ entitlements and user-granted permissions, potentially enabling the extraction of sensitive information depending on the access level of each app.
TCC, a framework developed by Apple, manages access to sensitive user data on macOS, providing users with transparency about how their data is accessed and used by different installed applications.
TCC operates through an encrypted database that records the permissions granted by the user to each application, ensuring consistent enforcement of these preferences across the system.
“TCC works alongside the application sandboxing feature in macOS and iOS,” Huntress explains. “Sandboxing limits an app’s access to the system and other applications, adding an additional layer of security. TCC ensures that apps can only access data for which they have received explicit user consent.”
Sandboxing also serves as a defense against code injection, a tactic where attackers insert malicious code into legitimate processes to access protected data.
“Library injection, or Dylib Hijacking in the context of macOS, is a method where code is inserted into the running process of an application,” Talos researcher Francesco Benvenuto explained. “macOS mitigates this threat with features like hardened runtime, which reduce the chances of an attacker executing arbitrary code through another app’s process.”
“However, if an attacker manages to inject a library into a running application, that library could exploit all the permissions already granted to the process, effectively acting as the application itself.”
It’s important to note that attacks of this nature require the threat actor to already have some level of access to the compromised host. This access could be exploited to open a more privileged app and inject a malicious library, effectively granting the attacker the permissions associated with the compromised app.
In other words, if an attacker manages to infiltrate a trusted application, they could misuse its permissions to gain unauthorized access to sensitive information, all without the user’s consent or knowledge.
Such a breach could occur when an application loads libraries from locations that the attacker can manipulate, especially if the application has disabled library validation through a risky entitlement (i.e., set to true). This validation, if enabled, would typically limit the loading of libraries to those signed by the application’s developer or Apple.
“macOS relies on applications to enforce their permissions,” Benvenuto noted. “Failure in this responsibility can lead to a breach of the entire permission model, with applications inadvertently serving as proxies for unauthorized actions, bypassing TCC and compromising the system’s security.”
Microsoft, however, considers the identified vulnerabilities to be of “low risk,” noting that the apps need to load unsigned libraries to support plugins. Nevertheless, the company has taken steps to address the issue in its OneNote and Teams apps.
“The vulnerable apps provide an opportunity for adversaries to exploit all of the app’s entitlements and, without any user prompts, reuse all the permissions already granted to the app, essentially acting as a permission broker for the attacker,” Benvenuto said.
“It’s also worth noting that securely handling such plug-ins within macOS’s current framework is challenging. Notarization of third-party plug-ins could be a solution, though it is complex and would require Microsoft or Apple to sign third-party modules after verifying their security.”
Source: TheHackerNews