A cybersecurity group has disclosed numerous vulnerabilities in apps developed by Microsoft for macOS that let hackers target users and their data. The security flaws impact apps, including Microsoft Office, Outlook, Teams, OneNote, and other apps from the Redmond company.
Hackers could access a user’s camera and microphone by misusing Apple’s permission framework on its desktop operating system. However, Microsoft has issued fixes for two of its applications on macOS, its other apps are still vulnerable to attackers.
Hackers can access camera, and microphone without permissions
Cybersecurity group Cisco Talos leaked information about eight vulnerabilities noticed in Microsoft's apps for macOS in a blog post. These flaws let hackers inject specially crafted vicious libraries into six Microsoft apps — Outlook, Teams, PowerPoint, Excel, Word, and OneNote — and bypass Apple's permission model on macOS.
According to Apple’s Transparency, Consent and Control (TCC) framework on macOS, to get access to a user's microphone and camera, malicious software would be required to be granted explicit user consent for the relevant permissions.
Read more: Microsoft store Xbox 360 officially dead: Xbox Live store confirms
Some malicious programs can utilise a process called library injection to gain access to permissions granted to other apps.
According to Cisco Talos, it results as macOS users who had Microsoft's apps downloaded on their computer could be vulnerable to hacking. Microsoft Excel is the only app in the list that doesn't have access to the microphone, while apps such as Microsoft Teams can also access the device's camera.
Microsoft patches two affected Apps
The cybersecurity group said that it reported the security vulnerabilities to Microsoft, and the company has since upgraded two of the impacted apps with fixes for the flaws. Users running the latest versions of Microsoft Teams and OneNote should not be affected, but the company's Outlook and Office apps are currently impacted by the security flaw.
Cisco Talos claimed that Microsoft should not have disabled library validation, as it disclose users to unnecessary risks by bypassing hardened runtime safeguards put in place by Apple on the OS, designed to protect users through TCC and its permission model.