Malicious Code Injection: Cisco Talos Finds macOS Microsoft App Security Gaps

The Cisco Talos team has identified eight vulnerabilities in Microsoft applications for macOS that allow unauthorized access to permissions and privileges granted to specific applications.

These flaws enable attackers to inject malicious libraries into Microsoft applications, bypassing macOS’s security model and exploiting existing permissions without the user’s knowledge.

Permissions in macOS regulate application access to resources such as the microphone, camera, folders, screen recording, and more. If a cybercriminal gains access to these permissions, they could obtain sensitive information or even elevate their privileges within the system. In a successful attack, for instance, an attacker might send emails on behalf of the user or record audio or video without the user’s consent.

Cisco Talos has detailed how these vulnerabilities can be exploited to circumvent macOS’s security model, which is based on the TCC (Transparency, Consent, and Control) system. TCC requires explicit user consent for access to personal data and system resources, providing protection against unauthorized access.

For example, malware could exploit Microsoft application permissions to perform unauthorized actions. Despite the severity of the situation, Microsoft has assessed the issues as low-risk and has refused to address some of them, stating that to support plugins, certain applications must allow the loading of unsigned libraries.

During their analysis, Cisco Talos identified the following vulnerabilities and assigned them identifiers and corresponding CVEs:

• TALOS-2024-1972 / CVE-2024-42220 – Microsoft Outlook
• TALOS-2024-1973 / CVE-2024-42004 – Microsoft Teams (Work or School)
• TALOS-2024-1974 / CVE-2024-39804 – Microsoft PowerPoint
• TALOS-2024-1975 / CVE-2024-41159 – Microsoft OneNote
• TALOS-2024-1976 / CVE-2024-43106 – Microsoft Excel
• TALOS-2024-1977 / CVE-2024-41165 – Microsoft Word
• TALOS-2024-1990 / CVE-2024-41145 – Microsoft Teams (Work or School) in WebView.app
• TALOS-2024-1991 / CVE-2024-41138 – Microsoft Teams (Work or School) in the auxiliary application com.microsoft.teams2.modulehost.app

Particular attention is given to how the identified issues, for instance, allow an attacker to inject libraries into the application process, opening the possibility of exploiting all permissions previously granted to that application. In other words, the cybercriminal could perform any action for which the user has already granted permission without needing to ask again.

While Apple provides robust security measures, including mandatory confirmation for access to sensitive data, the identified vulnerabilities demonstrate that these safeguards can be bypassed.

Despite Microsoft noting a low risk from these vulnerabilities, four out of the eight applications have been patched. However, Microsoft Excel, Outlook, PowerPoint, and Word remain vulnerable.

Cisco Talos emphasizes the importance of diligent security practices, particularly in the context of using third-party plugins. These vulnerabilities illustrate that even relatively low risks can become significant threats if not properly addressed. Therefore, software developers must take all necessary measures to prevent potential attacks and protect their users’ data.

macOS devices are increasingly becoming targets for hackers. Intel 471 has identified more than 40 hacker groups showing interest in malware and exploits for Apple’s platform. Since last year, at least 21 attackers have sought to acquire macOS malware, with some expressing interest in services to distribute existing malicious software. A similar number of hackers are already actively targeting the system.