Office products from Microsoft: loopholes have undermined macOS system security
Word, Outlook, PowerPoint, OneNote, Excel, Teams: Problematic code in the macOS versions could compromise Apple's security model, according to Cisco Talos.
IT security researchers from Cisco Talos have discovered problematic security vulnerabilities in a total of six macOS versions of Microsoft programs that are widely used as part of the Office suite. The bugs made it possible to bypass the system security implemented by Apple, the experts write in their advisory. Word, Outlook, PowerPoint, OneNote, Excel and the communication program Teams, which is also sold separately, are affected.
Fixes only available for two apps
A total of eight points of attack have been discovered that could be used to inject malicious libraries into Microsoft programs, which could then abuse the permissions granted by the user - including the entitlements assigned by Apple, which are actually used to protect system areas. "These permissions control whether an app can access resources such as microphone, camera, folders, screen recording, user input and more. This means that if an attacker gains access to them, sensitive information may be revealed." In the worst-case scenario, there is also the threat of privilege escalation.
Do you read Mac & i?
Take part in our survey to find out what you like and don't like, what topics you would like to see covered and what you think of this summer's Apple innovations.
The survey can be accessed via page 3 at the bottom of the current issue 4/2024 and online.
So far, Microsoft is said to have only updated two of the six programs to patch the vulnerabilities - OneNote and Teams. "Microsoft classifies these problems as low risk and believes that some of its applications must allow the loading of unsigned libraries in order to support [existing] plug-ins." Therefore, the company has declined to fix the issues reported by Cisco Talos in Word, Outlook, PowerPoint and Excel. OneNote and Teams use newer code, which apparently simplified the fix, and there is probably no need to accept unsigned libraries.
Missing validation of libraries
macOS normally uses its "Transparency, Consent and Control" system (TCC) to enforce system-wide that users must approve access to privacy-relevant areas. "Permission pop-ups" then appear for this purpose. The approval (or prohibition) is then noted in the TCC database. At the same time, in macOS it is actually forbidden by default to inject libraries into existing programs. Normally, only those from Apple and those from the developer themselves are approved. However, Microsoft has now deactivated this feature - presumably for importing plug-ins - using an Entitlement.
Why Microsoft insists on retaining this remains a mystery: according to Cisco Talos, such programs do not currently exist at all; instead, Microsoft uses less problematic "Office add-ins" that are web-based. "If this understanding is correct, it raises questions about the need to disable library validation, especially if no additional libraries are to be loaded. By using this permission, Microsoft is circumventing the safeguards provided by the hardened runtime environment and potentially exposing its users to unnecessary risks," the researchers write.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)