Microsoft macOS Apps Vulnerable to Permission Exploitation Through Library Injection
On August 19, 2024, Cisco Talos reported eight critical vulnerabilities in Microsoft applications running on macOS. These vulnerabilities allow attackers to exploit application permissions and entitlements by injecting malicious libraries.
Introduction
On August 19, 2024, Cisco Talos reported eight critical vulnerabilities in Microsoft applications running on macOS. These vulnerabilities allow attackers to exploit application permissions and entitlements by injecting malicious libraries. This could enable unauthorized access to sensitive resources such as microphones, cameras, and user data, all without user consent. The vulnerabilities expose critical flaws in macOS's permission-based security model, specifically the Transparency, Consent, and Control (TCC) framework.
Report Overview
Cisco Talos researchers discovered these vulnerabilities during a comprehensive analysis of macOS applications, focusing on how the TCC framework manages app permissions. The TCC framework is designed to protect user privacy by requiring explicit consent before apps can access sensitive data. However, these vulnerabilities enable attackers to bypass this framework, exploiting the permissions already granted to Microsoft applications.
The vulnerabilities impact several Microsoft macOS applications, including Microsoft Outlook, Teams, PowerPoint, OneNote, Excel, and Word. They arise from how these applications handle dynamic libraries, specifically through the use of the com.apple.security.cs.disable-library-validation entitlement. This entitlement disables macOS's hardened runtime, designed to prevent unauthorized code injection into applications.
The affected applications have this entitlement set to true, which allows the loading of unsigned libraries and the execution of arbitrary code within the app's process space. Here is the list of identified vulnerabilities:
| TALOS ID | CVE | APP NAME |
|---|---|---|
| TALOS-2024-1972 | CVE-2024-42220 | Microsoft Outlook |
| TALOS-2024-1973 | CVE-2024-42004 | Microsoft Teams (work or school) |
| TALOS-2024-1974 | CVE-2024-39804 | Microsoft PowerPoint |
| TALOS-2024-1975 | CVE-2024-41159 | Microsoft OneNote |
| TALOS-2024-1976 | CVE-2024-43106 | Microsoft Excel |
| TALOS-2024-1977 | CVE-2024-41165 | Microsoft Word |
| TALOS-2024-1990 | CVE-2024-41145 | Microsoft Teams (work or school) WebView.app |
| TALOS-2024-1991 | CVE-2024-41138 | Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app |
The vulnerabilities allow attackers to inject malicious code into these applications, hijacking their permissions and entitlements. This could result in unauthorized actions such as recording audio, taking pictures, sending emails, or accessing user data without the user's knowledge or consent.
Cisco Talos researchers emphasize the importance of understanding the macOS security model and how entitlements and permissions are managed. The vulnerabilities found in Microsoft's macOS applications highlight the need for developers to carefully consider the security implications of disabling protections like library validation.
Insights and Analysis
These vulnerabilities pose a significant threat to user privacy and security. If successfully exploited, attackers could use the permissions granted to these Microsoft applications to perform unauthorized actions, compromising user data and privacy. Microsoft has classified these issues as low-risk, but the potential impact of an attack is substantial, particularly given the wide range of permissions that could be exploited.
To mitigate the risks associated with these vulnerabilities, users should regularly check the permissions granted to applications in the "Privacy & Security" settings of macOS and revoke any unnecessary access. Ensuring that all applications are updated to the latest versions is crucial, as recent updates have addressed some vulnerabilities. Additionally, avoiding disabling security features like hardened runtime and library validation where possible is essential, as these provide critical layers of protection against attacks.
While the macOS security model offers robust protection, these vulnerabilities highlight the importance of maintaining strict security practices. Users and developers must remain vigilant in safeguarding privacy and security, especially when managing application permissions.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
/Applications/Microsoft Outlook.app | File Path | The presence of this file path might indicate the use of Microsoft Outlook on macOS, which is vulnerable to library injection. |
/Applications/Microsoft Teams (work or school).app | File Path | The presence of this file path could indicate a vulnerable version of Microsoft Teams on macOS. |
@rpath/OPF.framework/Resources/OPF_Common.dylib | File Path | Dynamic library loaded by Microsoft Outlook, potentially replaced by malicious code. |
@rpath/ADAL4.framework/Versions/A/ADAL4 | File Path | Another dynamic library in Microsoft Outlook that could be targeted for injection. |
com.apple.security.cs.disable-library-validation | Entitlement Configuration | Entitlement in macOS applications that disables library validation, potentially exploited for code injection. |
MITRE ATT&CK Mapping
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Privilege Escalation | Abuse Elevation Control Mechanism: AppleScript | T1548.001 | Exploiting elevated permissions by abusing AppleScript or other scripting languages in macOS. |
| Defense Evasion | Exploitation for Defense Evasion | T1211 | Using vulnerabilities in the application (e.g., disabling library validation) to bypass security mechanisms and avoid detection. |
| Execution | Command and Scripting Interpreter: AppleScript | T1059.002 | Executing scripts using AppleScript to control the macOS applications or inject malicious code into legitimate processes. |
| Persistence | Hijack Execution Flow: Dynamic Linker Hijacking | T1574.006 | Manipulating the loading of dynamic libraries by injecting malicious libraries into the execution path of macOS applications. |
| Collection | Input Capture: Audio Capture | T1123 | Recording audio by exploiting microphone permissions granted to the application. |
| Collection | Input Capture: Video Capture | T1125 | Capturing video or images using the camera by abusing entitlements of the compromised macOS application. |
| Credential Access | Credentials from Password Stores | T1555 | Extracting credentials from keychains by exploiting the application’s access to the macOS Keychain. |
References
Francesco Benvenuto
Comments ()