• Posted by: Eng. Donya Bino
• September 03, 2024

Eight Vulnerabilities in Microsoft Apps for macOS Enable Privilege Escalation

Eight vulnerabilities have been discovered in Microsoft applications for macOS, which could be exploited by attackers to gain elevated privileges or access sensitive data by bypassing the operating system’s permissions-based model, specifically the Transparency, Consent, and Control (TCC) framework.

“If successful, the adversary could gain any privileges already granted to the affected Microsoft applications,” stated Cisco Talos. “For instance, the attacker could send emails from the user’s account without their knowledge, record audio, capture photos, or record videos without any user interaction.”

These vulnerabilities affect various Microsoft applications, including Outlook, Teams, Word, Excel, PowerPoint, and OneNote. Cisco Talos explained that malicious libraries could be injected into these applications, gaining the entitlements and user-granted permissions of the apps. This access could be weaponized to extract sensitive information, depending on the specific permissions granted to each application.

The TCC framework, developed by Apple, is designed to manage access to sensitive user data on macOS, providing users with transparency regarding how their data is accessed and used by different applications installed on their devices. TCC maintains an encrypted database that records the permissions granted by the user to each application, ensuring consistent enforcement of these preferences across the system.

“TCC works in conjunction with the application sandboxing feature in macOS and iOS,” Huntress explains in its TCC overview. “Sandboxing restricts an app's access to the system and other applications, adding an extra layer of security. TCC ensures that apps can only access data for which they have received explicit user consent.”

Sandboxing also serves as a defense mechanism against code injection attacks, where attackers can insert malicious code into legitimate processes to access protected data.

“Library injection, or Dylib Hijacking in the macOS context, is a method where code is inserted into the running process of an application,” said Talos researcher Francesco Benvenuto. “macOS mitigates this risk with features like hardened runtime, which lowers the chances of attackers executing arbitrary code within another app’s process.”

However, if an attacker successfully injects a library into a running application’s process, that library can utilize all the permissions already granted to the application, effectively operating under its authority.

It is important to note that such attacks require the threat actor to already have some level of access to the compromised host, which can then be exploited to open a more privileged application and inject a malicious library. This would grant the attacker the permissions associated with the compromised application.

If a trusted application is infiltrated by an attacker, it can be used to abuse its permissions, granting unauthorized access to sensitive information without the user’s consent or awareness. This type of breach can occur when an application loads libraries from locations that an attacker could manipulate and has disabled library validation via a risky entitlement (i.e., set to true), which would typically restrict library loading to those signed by the app’s developer or Apple.

“macOS trusts applications to self-police their permissions,” Benvenuto noted. “A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorized actions, circumventing TCC and compromising the system’s security model.”

Microsoft has assessed the identified vulnerabilities as “low risk” and mentioned that their apps require the loading of unsigned libraries to support plugins. Despite this, Microsoft has taken steps to address the issues in its OneNote and Teams applications.

“The vulnerable apps create an opportunity for adversaries to exploit all the apps’ entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker,” Benvenuto explained.

“It’s also worth noting that securely handling such plugins within the current macOS framework remains a challenge. While notarizing third-party plugins is a potential solution, it’s complex and would necessitate Microsoft or Apple signing third-party modules after thorough security verification.”