Tech News
Unpatched Vulnerabilities In Microsoft macOS Apps Pose Threat
Researchers caution macOS users about multiple unpatched vulnerabilities in Microsoft apps for the system. Exploiting these vulnerabilities could potentially allow an attacker to gain sensitive device permissions.
Numerous Vulnerabilities In Microsoft macOS Apps Remain Unpatched
In a recent report, Cisco Talos researchers highlighted the risks associated with exploiting unpatched vulnerabilities in Microsoft macOS apps.
They identified eight security vulnerabilities affecting various Microsoft applications designed for Mac devices. These vulnerabilities were discovered during the analysis of Microsoft apps and the exploitability of macOS’s permission-based security model, which relies on the Transparency, Consent, and Control (TCC) framework. It was noted that an attacker could exploit these flaws to circumvent TCC controls and gain additional permissions without user interaction.
Successful exploitation of these vulnerabilities would enable an attacker to carry out malicious activities using the permissions granted to Microsoft apps. These activities could include sending deceptive emails, capturing audio or video on the target system, and taking photos.
The researchers specifically identified the following eight library injection vulnerabilities in different Microsoft apps. An attacker could exploit these vulnerabilities by injecting malicious libraries into the running processes of the target apps to bypass existing permissions.
- CVE-2024-42220 (CVSS 7.1): Affects Microsoft Outlook 16.83.3 for macOS.
- CVE-2024-42004 (CVSS 7.1): Affects Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS.
- CVE-2024-39804 (CVSS 7.1): Impacts Microsoft PowerPoint 16.83 for macOS.
- CVE-2024-41159 (CVSS 7.1): Exists in Microsoft OneNote 16.83 for macOS.
- CVE-2024-41165 (CVSS 7.1): Impacts Microsoft Word 16.83 for macOS.
- CVE-2024-43106 (CVSS 7.1): Exists in Microsoft Excel 16.83 for macOS.
- CVE-2024-41145 (CVSS 7.1): Affects WebView.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS.
- CVE-2024-41138 (CVSS 7.1): Exists in com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS.
Microsoft Downplays The Threat
Given the functioning of the permission-based model in Apple macOS, the researchers are concerned that an attacker could exploit all permissions granted to an app and carry out various malicious activities “on behalf of the app.”
While macOS’s security features, such as hardened runtime, prevent code execution through another application’s process, injecting a malicious library into the target app’s process space opens up possibilities for exploitation.
According to Cisco Talos, Microsoft has classified these unpatched vulnerabilities as low risk. They have mentioned that some of their applications need to allow loading of unsigned libraries to support plugins and have chosen not to address these issues.
However, the researchers noted updates for Microsoft Teams WebView.app, Microsoft Teams main app, Microsoft Teams ModuleHost.app, and Microsoft OneNote apps for macOS that have addressed the vulnerabilities. Nevertheless, Microsoft Office apps (Excel, Word, PowerPoint, Outlook) remain vulnerable.
We would like to hear your thoughts in the comments.
-
Destination3 months ago
Singapore Airlines CEO set to join board of Air India, BA News, BA
-
Tech News7 months ago
Bangladeshi police agents accused of selling citizens’ personal information on Telegram
-
Motivation6 months ago
The Top 20 Motivational Instagram Accounts to Follow (2024)
-
Guides & Tips5 months ago
Have Unlimited Korean Food at MANY Unlimited Topokki!
-
Guides & Tips5 months ago
Satisfy Your Meat and BBQ Cravings While in Texas
-
Gaming4 months ago
The Criterion Collection announces November 2024 releases, Seven Samurai 4K and more
-
Self Development7 months ago
Don’t Waste Your Time in Anger, Regrets, Worries and Grudges
-
Toys6 months ago
15 of the Best Trike & Tricycles Mums Recommend