Vulnerabilities in Microsoft’s macOS apps could help hackers access microphones and cameras

Updated August 21, 2024 with a statement from Microsoft.

Researchers said they discovered eight vulnerabilities in a range of Microsoft applications for macOS, including Teams, Outlook, Word, PowerPoint, OneNote and Excel, that could allow an attacker to gain access to a user’s “microphone, camera, folders, screen recording, user input and more.”

According to a blog post published Monday by Cisco Talos, if users have already given those apps permission to access device resources then the way Microsoft has designed its apps means hackers could exploit them to secretly record video or audio without users’ knowing.

“If a trusted application is compromised, it might be manipulated to abuse its permissions, allowing attackers to perform actions without user knowledge. For instance, if a video chat app with camera and microphone access is exploited, it could be forced to record without alerting the user,” warned Cisco.

The vulnerabilities are all linked to library injection — a technique that macOS defends against with Hardened Runtime, a setting that restricts the loading of risky libraries that could contain malicious code.

However, as the setting also restricts some capabilities that apps can depend on, Apple advises developers they can “add an entitlement to disable an individual protection” to ensure their apps’ functionality.

Cisco argues that Microsoft has added entitlements for the affected apps, disabling some of the protections provided by Hardened Runtime — and has done so unnecessarily.

The entitlement used by Microsoft is intended to allow apps to load plug-ins signed by third-party developers, Cisco stated: “Yet, as far as we know, the only ‘plug-ins’ available to Microsoft's macOS apps are web-based and known as ‘Office add-ins.’

“If this understanding is correct, it raises questions about the necessity of disabling library validation, especially if no additional libraries are expected to be loaded. By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks,” states the blog.

Microsoft considers the issues “low risk,” according to Cisco. But following the report, Microsoft updated its Teams apps and OneNote to remove the entitlement and thus the potential vulnerability.

The blog states that Excel, Outlook, PowerPoint and Word remain vulnerable and warns these “leave the door open for adversaries to exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker.”

Following publication, a spokesperson for Microsoft said: “The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system.

“However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions.”