Unpatched Vulnerabilities Found in Microsoft Apps for macOS

Researchers from Cisco Talos have reported discovering eight vulnerabilities in several Microsoft applications for macOS, including Teams, Outlook, Word, PowerPoint, OneNote, and Excel. According to the experts, these issues allow attackers to access “the microphone, camera, folders, screen recording, user input, and much more.”

The researchers warn that if a user grants these applications permission to access device resources, hackers could later exploit them to secretly record video or audio without the user’s knowledge. “If a trusted application is compromised, it can be used to abuse permissions, allowing attackers to perform actions without the user’s awareness. For example, if a video chat app with access to the camera and microphone is exploited, it can be forced to record video without warning the user,” Cisco explains.

Apple’s security model is based on permissions and relies on the TCC (Transparency, Consent, and Control) framework. This framework is responsible for requesting permissions when launching new applications and displays warnings if an app wants to access sensitive data such as contacts, photos, webcams, and so on.

TCC works with what Apple calls entitlements, only some of which are available to software vendors, and developers choose which ones to enable. For example, if an app has a feature that requires using the device’s microphone, developers activate this entitlement, and macOS then asks the user for explicit consent to use the microphone.

The Cisco Talos research highlights that once these entitlements are granted by the user, they remain in effect until manually changed in the macOS system settings. This means an attacker can exploit applications that have already received the necessary permissions, without needing to trick the victim into running a suspicious program. For instance, a hacker could use Word for this purpose.

The specific issues identified by the researchers are related to library injection attacks—a technique that macOS tries to prevent using Hardened Runtime, a setting that restricts the loading of libraries that could contain malicious code.

However, since this setting can also limit certain features that applications may depend on, Apple advises developers to disable this protection using an entitlement if necessary to ensure their apps work properly. Cisco experts claim that Microsoft disables Hardened Runtime protections unnecessarily.

According to Cisco, the entitlement used by Microsoft is intended to allow applications to load plugins signed by third-party developers. “But as far as we know, the only ‘plugins’ available for Microsoft apps on macOS are web apps and ‘Office add-ins,’” Cisco says. “If our understanding is correct, this calls into question the need to disable library validation, especially if no additional libraries are expected to be loaded. By using this entitlement, Microsoft bypasses the guarantees provided by Hardened Runtime and potentially exposes its users to unnecessary risks.”

Cisco notified Microsoft about its findings, but the company considered these issues “low risk” and stated it does not plan to fix them. However, after the researchers’ report was published, Microsoft did update its Teams and OneNote apps to remove the controversial entitlement and close the potential vulnerability.

Cisco emphasizes that Excel, Outlook, PowerPoint, and Word remain vulnerable and “leave the door open for attackers who can use all the rights of these applications and, without any user interaction, reuse all permissions already granted to the apps.”