Eight vulnerabilities have been discovered in Microsoft’s macOS apps that an attacker could exploit to gain elevated privileges or gain access to sensitive data by circumventing the operating system’s permission-based model, which revolves around transparency, consent and control (TCC) framework.
“If successful, the adversary could gain any privileges already granted to the affected Microsoft application,” Cisco Talos said. said. “For example, an attacker can send emails from a user’s account without the user noticing, record audio clips, take photos, or record videos without any interaction with the user.”
The vulnerabilities cover various programs such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote.
The cybersecurity company said that malicious libraries can be planted in these applications and gain the rights and permissions granted to users, which can then be used as a weapon to extract sensitive information depending on the access granted to each of these applications.
TCC is a framework designed by Apple to manage access to sensitive user data in macOS, giving users additional transparency into how their data is accessed and used by various applications installed on the machine.
This is maintained in the form of an encrypted database that records the permissions granted by the user for each application to ensure that preferences are consistently enforced across the system.
“TCC works in conjunction with the app sandbox feature on macOS and iOS”, Huntress notes in his explanation for TCC. “Sandboxing limits a program’s access to the system and other programs, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent.”
Sandboxing is also a countermeasure that protects against code injection, which allows attackers with machine access to inject malicious code into legitimate processes and gain access to protected data.
“Library injection, also known as Dylib Hijacking in the context of macOS, is a method by which code is injected into a running application process,” said Talos researcher Francesco Benvenuto. “macOS counters this threat with features such as hardened runtimewhich reduce the likelihood that an attacker will execute arbitrary code through another program’s process.”
“However, if an attacker manages to inject a library into the process space of a running application, that library can use all the permissions already granted to the process, effectively acting on behalf of the application itself.”
However, it’s worth noting that attacks like this require the threat actor to already have some level of access to the compromised node so that it can be abused to open a more privileged application and inject the malicious library, essentially granting them permissions related to the exploited application. .
In other words, if an attacker infiltrates a trusted program, it can be used to abuse its permissions and gain unauthorized access to sensitive information without the users’ consent or knowledge.
This kind of violation can occur if an application loads libraries from places that an attacker can potentially manipulate, and it has disabled library validation via a risky privilege (ie set to true ), which otherwise limits library loading to only those signed by the developer programs. or Apple.
“macOS trusts apps to control their own permissions,” Benvenuto noted. “Failure to fulfill this responsibility results in a breach of the entire permission model, where applications inadvertently act as proxies for unauthorized activities, bypassing TCC and compromising the system’s security model.”
Microsoft, for its part, considers the identified issues to be “low risk” and that applications must load unsigned libraries to support plug-ins. However, the company has stepped in to fix the problem in its OneNote and Teams apps.
“Vulnerable applications leave the door open for adversaries to exploit all application rights and, without any user prompting, reuse all permissions already granted to the application, effectively serving as a permission broker for the attacker,” Benvenuto said.
“It’s also important to mention that it’s not clear how to securely handle such plug-ins within the current macOS system. Notarizing third-party plug-ins is one option, albeit a complex one, and would require third-party Microsoft or Apple module -party signatures after testing their security.”
