TLDR:
- Cisco Talos identified eight vulnerabilities in Microsoft’s macOS apps that could be exploited for unauthorized access to camera and microphone, sensitive data, user input logging, and privilege escalation.
- Microsoft has decided not to patch these vulnerabilities, considering them low risk.
Cisco Talos discovered multiple flaws in Microsoft’s macOS apps that could pose significant risks to users. These vulnerabilities, affecting popular applications such as Excel, OneNote, Outlook, PowerPoint, Teams, and Word, could potentially allow malicious actors to gain access to a user’s camera and microphone, sensitive data, log user input and even escalate privileges. The vulnerabilities were identified by Cisco Talos researchers, who reached out to Microsoft to address the issues. However, Microsoft responded by stating that they do not plan to fix these vulnerabilities.
Francesco Benvenuto, a senior security research engineer at Talos, highlighted that some of Microsoft’s macOS apps have entitlements that allow them to disable security features introduced by Apple’s hardened runtime. This could potentially enable attackers to exploit certain applications under specific conditions, bypassing protections against malicious library injection.
Although Microsoft has updated its Teams apps and OneNote to mitigate the bugs by removing the entitlement that allowed library injection, the Office apps remain vulnerable according to Benvenuto. The investigation by Talos serves as a reminder of the potential security risks associated with software vendors failing to address vulnerabilities in their applications. Despite Microsoft designating these vulnerabilities as low risk and choosing not to patch them, the concerns raised by Talos underscore the importance of prioritizing cybersecurity in software development.