Suppose you use Microsoft productivity apps like Microsoft Word for Mac. In that case, you need to know about a new report from cybersecurity researchers from Cisco Talos. According to the latest report, many of the most common Microsoft apps on MacOS have a significant vulnerability that could put your sensitive data at risk for theft.
Understanding the Danger to Microsoft Apps on MacOS
The newly discovered vulnerabilities in the Microsoft apps on MacOS could allow hackers to bypass permission requirements and access everything from your camera and microphone to confidential files. The problem stems from a feature in the productivity apps called “com.apple.security.cs.disable-library-validation,” which could turn off critical security features and leave the app vulnerable to compromise.
The eight distinct vulnerabilities that the researchers discovered allow hackers to take advantage of permissions that you already granted to the apps; for example, the first time you need to create a voiceover recording for a presentation on PowerPoint for Mac, you must grant permission for it to access the microphone. The permission remains in effect until you adjust the setting to deny it.
The vulnerability in Microsoft apps on MacOS allows hackers to inject malicious libraries to search for the permissions you granted to tools like Excel on MacOS. Once they locate these entitlements, they can gain access to the apps without any additional verification and essentially take over the machine without the user noticing.
Some of the activities that a hacker can perform by exploiting this weakness include:
- Sending messages from your Outlook email client for macOS
- Turning on the camera or microphone and recording you
- Recording your screen while you work
- Spying on Teams calls
- Collecting information from OneNote on MacOS
- Microsoft’s Response and What You Can Do To Remain Secure
Microsoft’s Response and What You Can Do To Remain Secure
Although these vulnerabilities are a significant concern, Microsoft does not share that view. The company has no plans to issue a patch for the vulnerability.
According to Microsoft, the actual risk of a problem is low due to the many variables required to launch a successful attack. They note that some application plugins require installing unsigned libraries to function, and addressing this issue will affect the functionality of those plugins. A recent update to Teams and OneNote on MacOS addressed the vulnerability that allowed library injections.
Microsoft notes that MacOS offers enough inherent protection against hackers and that most users will not have any problems with these attacks. Still, you should take precautions to address this vulnerability in Microsoft apps on MacOS, including:
- Keeping your operating system updated and installing security patches as soon as possible
- Frequently review your device’s settings to confirm that only trusted apps have access to the microphone, camera, and other features
- Avoid installing plugins to Microsoft apps
- Keep your Microsoft apps, like OfficeSuite for MacOS, updated
By following these security protocols, your chances of becoming a victim of these attacks are much lower.
