Microsoft macOS Apps Vulnerable to Permission Exploitation Through Library Injection

On August 19, 2024, Cisco Talos reported eight critical vulnerabilities in Microsoft applications running on macOS. These vulnerabilities allow attackers to exploit application permissions and entitlements by injecting malicious libraries.

Microsoft macOS Apps Vulnerable to Permission Exploitation Through Library Injection
The original image was generated by OpenAI's DALL-E and edited by the author. Source: OpenAI (August 2024)

Introduction

On August 19, 2024, Cisco Talos reported eight critical vulnerabilities in Microsoft applications running on macOS. These vulnerabilities allow attackers to exploit application permissions and entitlements by injecting malicious libraries. This could enable unauthorized access to sensitive resources such as microphones, cameras, and user data, all without user consent. The vulnerabilities expose critical flaws in macOS's permission-based security model, specifically the Transparency, Consent, and Control (TCC) framework.

Report Overview

Cisco Talos researchers discovered these vulnerabilities during a comprehensive analysis of macOS applications, focusing on how the TCC framework manages app permissions. The TCC framework is designed to protect user privacy by requiring explicit consent before apps can access sensitive data. However, these vulnerabilities enable attackers to bypass this framework, exploiting the permissions already granted to Microsoft applications.

The vulnerabilities impact several Microsoft macOS applications, including Microsoft Outlook, Teams, PowerPoint, OneNote, Excel, and Word. They arise from how these applications handle dynamic libraries, specifically through the use of the com.apple.security.cs.disable-library-validation entitlement. This entitlement disables macOS's hardened runtime, designed to prevent unauthorized code injection into applications.

The affected applications have this entitlement set to true, which allows the loading of unsigned libraries and the execution of arbitrary code within the app's process space. Here is the list of identified vulnerabilities:

TALOS IDCVEAPP NAME
TALOS-2024-1972CVE-2024-42220Microsoft Outlook
TALOS-2024-1973CVE-2024-42004Microsoft Teams (work or school)
TALOS-2024-1974CVE-2024-39804Microsoft PowerPoint
TALOS-2024-1975CVE-2024-41159Microsoft OneNote
TALOS-2024-1976CVE-2024-43106Microsoft Excel
TALOS-2024-1977CVE-2024-41165Microsoft Word
TALOS-2024-1990CVE-2024-41145Microsoft Teams (work or school) WebView.app
TALOS-2024-1991CVE-2024-41138Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app

The vulnerabilities allow attackers to inject malicious code into these applications, hijacking their permissions and entitlements. This could result in unauthorized actions such as recording audio, taking pictures, sending emails, or accessing user data without the user's knowledge or consent.

Cisco Talos researchers emphasize the importance of understanding the macOS security model and how entitlements and permissions are managed. The vulnerabilities found in Microsoft's macOS applications highlight the need for developers to carefully consider the security implications of disabling protections like library validation.

Insights and Analysis

These vulnerabilities pose a significant threat to user privacy and security. If successfully exploited, attackers could use the permissions granted to these Microsoft applications to perform unauthorized actions, compromising user data and privacy. Microsoft has classified these issues as low-risk, but the potential impact of an attack is substantial, particularly given the wide range of permissions that could be exploited.

To mitigate the risks associated with these vulnerabilities, users should regularly check the permissions granted to applications in the "Privacy & Security" settings of macOS and revoke any unnecessary access. Ensuring that all applications are updated to the latest versions is crucial, as recent updates have addressed some vulnerabilities. Additionally, avoiding disabling security features like hardened runtime and library validation where possible is essential, as these provide critical layers of protection against attacks.

While the macOS security model offers robust protection, these vulnerabilities highlight the importance of maintaining strict security practices. Users and developers must remain vigilant in safeguarding privacy and security, especially when managing application permissions.

Indicators of Compromise (IOC)

IndicatorTypeDescription
/Applications/Microsoft Outlook.appFile PathThe presence of this file path might indicate the use of Microsoft Outlook on macOS, which is vulnerable to library injection.
/Applications/Microsoft Teams (work or school).appFile PathThe presence of this file path could indicate a vulnerable version of Microsoft Teams on macOS.
@rpath/OPF.framework/Resources/OPF_Common.dylibFile PathDynamic library loaded by Microsoft Outlook, potentially replaced by malicious code.
@rpath/ADAL4.framework/Versions/A/ADAL4File PathAnother dynamic library in Microsoft Outlook that could be targeted for injection.
com.apple.security.cs.disable-library-validationEntitlement ConfigurationEntitlement in macOS applications that disables library validation, potentially exploited for code injection.

MITRE ATT&CK Mapping

TacticTechniqueIDDescription
Privilege EscalationAbuse Elevation Control Mechanism: AppleScriptT1548.001Exploiting elevated permissions by abusing AppleScript or other scripting languages in macOS.
Defense EvasionExploitation for Defense EvasionT1211Using vulnerabilities in the application (e.g., disabling library validation) to bypass security mechanisms and avoid detection.
ExecutionCommand and Scripting Interpreter: AppleScriptT1059.002Executing scripts using AppleScript to control the macOS applications or inject malicious code into legitimate processes.
PersistenceHijack Execution Flow: Dynamic Linker HijackingT1574.006Manipulating the loading of dynamic libraries by injecting malicious libraries into the execution path of macOS applications.
CollectionInput Capture: Audio CaptureT1123Recording audio by exploiting microphone permissions granted to the application.
CollectionInput Capture: Video CaptureT1125Capturing video or images using the camera by abusing entitlements of the compromised macOS application.
Credential AccessCredentials from Password StoresT1555Extracting credentials from keychains by exploiting the application’s access to the macOS Keychain.

References

How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
An adversary could exploit these vulnerabilities by injecting malicious libraries into Microsoft’s applications to gain their entitlements and user-granted permissions.