Bugs in Microsoft macOS apps give access to camera, mic

August 20, 2024
1 min read


TLDR:

  • Cisco Talos identified eight vulnerabilities in Microsoft’s macOS apps that could be exploited for unauthorized access to camera and microphone, sensitive data, user input logging, and privilege escalation.
  • Microsoft has decided not to patch these vulnerabilities, considering them low risk.

Cisco Talos discovered multiple flaws in Microsoft’s macOS apps that could pose significant risks to users. These vulnerabilities, affecting popular applications such as Excel, OneNote, Outlook, PowerPoint, Teams, and Word, could potentially allow malicious actors to gain access to a user’s camera and microphone, sensitive data, log user input and even escalate privileges. The vulnerabilities were identified by Cisco Talos researchers, who reached out to Microsoft to address the issues. However, Microsoft responded by stating that they do not plan to fix these vulnerabilities.

Francesco Benvenuto, a senior security research engineer at Talos, highlighted that some of Microsoft’s macOS apps have entitlements that allow them to disable security features introduced by Apple’s hardened runtime. This could potentially enable attackers to exploit certain applications under specific conditions, bypassing protections against malicious library injection.

Although Microsoft has updated its Teams apps and OneNote to mitigate the bugs by removing the entitlement that allowed library injection, the Office apps remain vulnerable according to Benvenuto. The investigation by Talos serves as a reminder of the potential security risks associated with software vendors failing to address vulnerabilities in their applications. Despite Microsoft designating these vulnerabilities as low risk and choosing not to patch them, the concerns raised by Talos underscore the importance of prioritizing cybersecurity in software development.


Latest from Blog

Top 20 Linux Admin Tools for 2024

TLDR: Top Linux Admin Tools in 2024 Key points: Linux admin tools streamline system configurations, performance monitoring, and security management. Popular Linux admin tools include Webmin, Puppet, Zabbix, Nagios, and Ansible. Summary

Bogus job tempts aerospace, energy workers

TLDR: A North Korean cyberespionage group is posing as job recruiters to target employees in aerospace and energy sectors. Mandiant reports that the group uses fake job descriptions stored in malicious archives