Microsoft Office apps circumvent Mac security

Another day, another Microsoft security failure, this time involving vulnerabilities in the company’s productivity apps for Macs. Microsoft says it isn’t a problem. Security researchers disagree.

What’s the problem?

Security researchers at Cisco Talos have identified eight vulnerabilities in widely deployed Microsoft Office apps that can be abused to the extent that attackers can:

Record video clips

Record audio clips

Take pictures

Access and exfiltrate data

Send emails

Which applications are affected?

Cisco Talos identified the vulnerabilities across a swath of Microsoft’s productivity suite: in Word, Excel, PowerPoint, Teams, Outlook, and OneNote. They take advantage of a permission Microsoft has built into its applications to enable use of third-party plug-ins.

What Microsoft says

Microsoft reportedly says these security vulnerabilities in its products are “low risk.” The company argues that some of its apps need to allow the loading of “unsigned libraries” to support plug-ins they use. But that sounds less convincing when you learn that since the flaws were reported, Microsoft has updated Teams and OneNote so those applications are no longer vulnerable. Word, Excel, PowerPoint, and Outlook remain vulnerable.

What the vulnerabilities do

Attackers can use Microsoft’s weak application security to inject specially crafted libraries into the systems, which then give them all the access permissions users have provided to the relevant apps.

What this means in practice is that if you have granted Microsoft Word permission to access to your microphone, for example, then an attacker can use the injection attack to assume that right, giving them access to your microphone.

Among the potential consequences of such an attack, the security researchers warn: “the attacker could send emails from the user account without the user noticing, record audio clips, take pictures or record videos without any user interaction.”

How these attacks work (simplified)

MacOS has a feature called Hardened Runtime to prevent this kind of DLL (Dynamically Linked Library) hack. The problem is that Microsoft’s apps have enabled an entitlement to disable this protection. 

That means that hackers may be able to exploit these vulnerabilities by injecting malicious libraries into Microsoft’s applications to gain their entitlements and user-granted permissions. Cisco Talos has more in-depth information here.

What the researchers said

Francesco Benvenuto, Sr. Vulnerability Researcher with Cisco Talos, wrote:

“Microsoft appears to use the com.apple.security.cs.disable-library-validation entitlement for certain apps to support some kind of ‘plug-ins.’ According to Apple, this entitlement allows the loading of plug-ins signed by third-party developers. Yet, as far as we know, the only ‘plug-ins’ available to Microsoft’s macOS apps are web-based and known as ‘Office add-ins.’

“If this understanding is correct, it raises questions about the necessity of disabling library validation, especially if no additional libraries are expected to be loaded. By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks.”

What experts say

Michael Covington, Jamf VP of strategy, describes the third-party plug-in support Microsoft has used as a weakness in Apple’s own security. 

“This is a noteworthy flaw in apps that naturally require permissions to Apple’s controlled resources, like the camera or microphone, because users are inclined to grant such permissions to collaboration tools like Microsoft Teams or logging tools like OneNote. Fortunately, Microsoft agreed to update these applications,” he told The Channel Company.

Covington also pointed out that while Microsoft hasn’t rectified the problem in the other applications, most users are “unlikely” to grant sensitive permissions to those apps.

Despite his pragmatism, it is hard to ignore that “unlikely” is not as great a protection as “never.”

How Apple could prevent this

The researchers suggest that Apple might want to begin notarizing third-party plug-ins to protect against such vulnerabilities, but this is more complex than it sounds. It would also require “Microsoft or Apple to sign third-party modules after verifying their security,” they said.

Another alternative — which sounds a more likely option — would be to give Mac users a permissions prompt to put them in control when loading third-party plug-ins. I imagine this would also impose time limits for the support of those plug-ins. I expect that Apple will now consider this option, as it is in keeping with other changes it is making in macOS to harden those systems.

What can you do to prevent such attacks?

There are alternatives to Microsoft’s productivity apps. The challenge is that not everyone uses them, many users are deeply invested in Office apps, and various forms of business communications and collaboration rely on them. 

It is, however, good practice to regularly review the Privacy & Security settings for Microphone and Camera on your Mac. In very general terms, if you don’t use dictation to write in Word, why does it have Microphone access?

We deserve better

You’d think the trend for designer insecurity within software would have met peak horizon following the billions of dollars of economic damage wrought by the Crowdstrike/Windows disaster in recent weeks. 

These newly disclosed vulnerabilities are not so is deeply distressing but once again underscore the argument that there is no such thing as a safe back door into any software. 

With nation-state hackers, highly paid mercenaries, and criminal gangs all deeply involved in undermining platform security, no vulnerability should be ignored, and when it is (or even may be) left unpatched, users, particularly enterprise users, should seek alternative platforms, applications, and code. 

And security regulators must increase the pressure on those companies most widely known to deliver insecure software to get their act together.

Every user on every platform deserves better.

Please follow me on LinkedIn, Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.