Eight vulnerabilities have been uncovered in Microsoft applications for macOS that an adversary could exploit to gain elevated privileges or access sensitive data by circumventing the operating system’s permissions-based model, which revolves around the Transparency, Consent, and Control (TCC) framework.
“If successful, the adversary could gain any privileges already granted to the affected Microsoft applications,” Cisco Talos said. “For example, the attacker could send emails from the user account without the user noticing, record audio clips, take pictures, or record videos without any user interaction.”
The shortcomings span various applications such as Outlook, Teams, Word, Excel PowerPoint, and OneNote.
The cybersecurity company said malicious libraries could be injected into these applications and gain their entitlements and user-granted permissions, which could then be weaponized for extracting sensitive information depending on the access granted to each of those apps.
TCC is a framework developed by Apple to manage access to sensitive user data on macOS, giving users added transparency into how their data is accessed and used by different applications installed on the machine.
This is maintained in the form of an encrypted database that records the permissions granted by the user to each application so as to ensure that the preferences are consistently enforced across the system.
“TCC works in conjunction with the application sandboxing feature in macOS and iOS,” Huntress notes in its explainer for TCC. “Sandboxing restricts an app’s access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent.”
Sandboxing is also a countermeasure that guards against code injection, which enables attackers with access to a machine to insert malicious code into legitimate processes and access protected data.
“Library injection, also known as Dylib Hijacking in the context of macOS, is a technique whereby code is inserted into the running process of an application,” Talos researcher Francesco Benvenuto said. “macOS counters this threat with features such as hardened runtime, which reduce the likelihood of an attacker executing arbitrary code through the process of another app.”
“However, should an attacker manage to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself.”
It however bears noting that attacks of this kind require the threat actor to already have a certain level of access to the compromised host so that it could be abused to open a more privileged app and inject a malicious library, essentially granting them the permissions associated with the exploited app.
In other words, should a trusted application be infiltrated by an attacker, it could be leveraged to abuse its permissions and gain unwarranted access to sensitive information without users’ consent or knowledge.
This sort of breach could occur when an application loads libraries from locations the attacker could potentially manipulate and it has disabled library validation through a risky entitlement (i.e., set to true), which otherwise limits the loading of libraries to those signed by the application’s developer or Apple.
“macOS trusts applications to self-police their permissions,” Benvenuto noted. “A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system’s security model.”
Microsoft, for its part, considers the identified issues as “low risk” and that the apps are required to load unsigned libraries to support plugins. However, the company has stepped in to remediate the problem in its OneNote and Teams apps.
“The vulnerable apps leave the door open for adversaries to exploit all of the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker,” Benvenuto said.
“It’s also important to mention that it’s unclear how to securely handle such plug-ins within macOS’ current framework. Notarization of third-party plug-ins is an option, albeit a complex one, and it would require Microsoft or Apple to sign third-party modules after verifying their security.”
