New Vulnerabilities in Microsoft macOS Apps Could Enable Cyberpunks to Obtain Unrestricted Access

Eight vulnerabilities have been found in Microsoft applications for macOS that an enemy could manipulate to gain elevated privileges or access sensitive data by circumventing the working system's permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework. "If successful, the adversary could gain any privileges already granted to the affected Microsoft applications," Cisco Talos stated. "For example, the assaulter could send emails from the user account without the user detecting, record audio clips, take photos, or record videos without any user interaction."

The drawbacks span different applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote. The cybersecurity business declared hostile libraries could be infiltrated into these applications and gain their entitlements and user-granted licenses, which could then be weaponized for extracting exposed data relying on the access given to each of those apps.

TCC is a framework designed by Apple to handle access to susceptible user data on macOS, giving users added translucency into how their data is accessed and used by other applications installed on the appliance. This is maintained in the state of an encrypted database that records the authorizations given by the user to each application to guarantee that the choices are consistently implemented across the system.

"TCC works in conjunction with the application sandboxing feature in macOS and iOS," Huntress states in its explainer for TCC. "Sandboxing determines an app's access to the system and other applications, adding an extra layer of protection. TCC ensures that apps can only access data for which they have obtained explicit user approval." Sandboxing is also a countermeasure that safeguards against code injection, which allows assaulters with access to a device to insert hostile code into legitimate methods and access rescued data.

"Library injection also understood as Dylib Hijacking in the context of the macOS, is a method whereby code is inserted into the running process of an application," Talos investigator Francesco Benvenuto expressed.  The "macOS counters this danger with elements such as hardened runtime, which decrease the chance of an assailant executing incidental code via the process of another app." "However, should an assaulter tend to inject a library into the process space of a running application, that library could use all the approvals already granted to the process, effectively operating on behalf of the application itself."
 

It however handles reporting that attacks of this kind need the danger actor to already have a specific level of access to the compromised host so that it could be manipulated to open a more privileged app and inject a malicious library, virtually giving them the authorizations associated with the exploited app.

In other words, should a trusted application be infiltrated by an assaulter, it could be leveraged to manipulate its approvals and gain unnecessary access to sensitive data without users' permission or learning. This type of breach could happen when an application loads libraries from locations the assaulter could potentially abuse and it has undermined library verification through a risky entitlement (i.e., set to true), which otherwise restricts the loading of libraries to those signed by the application's designer or Apple.

"macOS trusts applications to self-police their approvals," Benvenuto mentioned. "A failure in this duty leads to a breach of the whole consent model, with applications inadvertently acting as representatives for unauthorized activities, circumventing TCC and compromising the system's safety model." Microsoft, for its part, considers the specified issues as "low risk" and that the apps are needed to load unsigned libraries to support plugins. However, the organization has stepped in to remediate the issue in its OneNote and Teams apps.

"The vulnerable apps leave the gate open for competitors to manipulate all of the apps' entitlements and, without any user prompts, reuse all the approvals already granted to the app, effectively serving as an authorization vendor for the assaulter," Benvenuto expressed. "It's also essential to mention that it's unclear how to securely manage such plug-ins within macOS' existing framework. Notarization of third-party plug-ins is an opportunity, albeit a difficult one, and it would need Microsoft or Apple to sign third-party modules after confirming their safety."