Security researchers from Cisco Talos have discovered several vulnerabilities in Microsoft applications for Apple’s macOS operating system. Their operation allows surveillance of Mac computer users, including gaining access to the camera and microphone of the attacked device.
Image source: Copilot
In the Cisco Talos publication, researchers delved deeper into how attackers can exploit vulnerabilities in Microsoft macOS apps, such as Outlook or Teams, to gain access to a device’s camera or microphone without the user’s consent. The attack is based on the introduction of malicious libraries into Microsoft applications in order to obtain rights and permissions similar to those that the user has already granted to legitimate products.
MacOS has a service called Transparency Consent and Control (TCC), which is used to manage app permissions, including device location, camera, microphone, photos, and more. Every app needs to obtain TCC permission to grant permissions. However, an exploit based on Microsoft application vulnerabilities allows malware to use permissions that were already granted to the software giant’s software products.
«”We have identified eight vulnerabilities in various Microsoft applications for macOS that allow attackers to bypass the operating system’s permissions mechanism by using existing permissions without requiring additional verification from the user,” the researchers said in a statement.
For example, a hacker could create malware to record audio from a microphone or take photos without any interaction from the user of the device. It is noted that all problematic applications, except Excel, have the ability to record sound, and some have access to the camera.
According to available data, Microsoft is already working on a patch that will eliminate the vulnerabilities found in its products for macOS. The issue has already been fixed in Teams and OneNote, but it continues to affect Excel, PowerPoint, Word, and Outlook. The exploit created by the researchers was not considered dangerous by the company because it relies on loading unsigned libraries to support third-party plugins. You can find more detailed information on this issue on the Cisco Talos blog.