Analysis Summary

Eight flaws in Microsoft apps for macOS have been found, which an attacker could use to get around the permissions-based model of the operating system—which is based on the Transparency, Consent, and Control (TCC) framework—and obtain elevated privileges or access sensitive data.

If the attacker is successful, any privileges already granted to the impacted Microsoft programs could be taken by them. For instance, the attacker might capture images, record movies, record audio clips, and send emails from the user account without the user realizing it. The issues affect several different programs, including OneNote, Teams, Word, Excel, PowerPoint, and Outlook.

According to the researchers, if malicious libraries are introduced into these apps, they might acquire user-granted permissions and entitlements. Depending on the level of access that each of those apps has, these could then be used as a weapon to harvest sensitive data. Apple created the TCC framework to control access to private user data on macOS, providing consumers with more control over how various installed apps on the system access and utilize their data.

To guarantee that the user's choices are applied uniformly throughout the system, this is kept up to date in the form of an encrypted database that documents the permissions each program has been granted by the user. TCC functions in tandem with iOS and macOS's application sandboxing technology. An additional degree of security is provided via sandboxing, which limits an app's access to the system and other programs. TCC makes sure that apps can only access information for which users have given their express consent.

Another defense against code injection is sandboxing, which prevents threat actors with physical access to a computer from infecting legitimate processes with malicious code so they may access data that is protected. Code is inserted into an application's running process via a technique called library injection, or Dylib Hijacking in the macOS context. Hardened runtime is one of the features on macOS that mitigates this issue by making it less likely for an attacker to run arbitrary code while another app is running.

If an attacker were to successfully insert a library into the process space of an application that is now running, the library would be able to utilize all of the rights that have already been granted to the process, thereby performing the functions of the application itself. It is important to remember, though, that these types of attacks necessitate that the threat actor already has some degree of access to the compromised host to be able to use it to open a more privileged app and inject a malicious library, thus giving them the permissions linked to the exploited app.

To put it another way, if an attacker manages to compromise a trusted program, they could exploit it to misuse its rights and obtain unauthorized access to private data without the users' knowledge or agreement. This kind of breach can happen if an application loads libraries from places that an attacker could potentially manipulate and disables library validation by setting a risky entitlement to true, which would otherwise restrict library loading to only those libraries signed by Apple or the application's developer.

On macOS, permissions are left up to the individual apps. Applications that neglect this duty unintentionally serve as proxies for illegal activity, evading TCC and jeopardizing the security model of the system. This results in a breach of the authorization model as a whole. Microsoft, on the other hand, believes that the problems found are "low risk" and that unsigned libraries must load for the apps to enable plugins. However, the business has intervened to fix the issue with the Teams and OneNote apps.

Vulnerable apps let attackers leverage all the privileges granted to them and reuse them without the user's consent. In this way, the vulnerable apps act as a permission broker for the attacker. It's also crucial to note that the present macOS framework may not be able to handle these plug-ins securely. Although it is a complicated process, notarizing third-party plug-ins is an option. After confirming the security of the third-party modules, Apple or Microsoft would need to sign them.

Impact

• Sensitive Data Theft
• Privilege Escalation
• Unauthorized Access
• Cyber Espionage

Remediation

• Upgrade to the latest version of the affected software for macOS, available from the Microsoft Website.
• Organizations must test their assets for the vulnerability mentioned above and apply the available security patch or mitigation steps as soon as possible.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations must stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.