3 min Security

MS Office apps for macOS allow circumventing of permissions

This makes code injection or even escalation of privileges possible

MS Office apps for macOS allow circumventing of permissions

Some of the most widely used Microsoft Office apps for macOS contain a vulnerability that allows malicious actors to bypass and abuse existing permissions without additional authentication. This would theoretically allow them to send unauthorized e-mails, take photos and make audio or video recordings.

The apps affected are Word, Excel, PowerPoint, Outlook, OneNote, Teams and two Teams components. The vulnerabilities came to light following research by Cisco Talos and involve bypassing the Transparency, Consent and Control (TCC) permissions model, frequently used by Apple, because of exemptions that Microsoft itself has made in it by default to facilitate the loading of third-party plugins. Among other things, this leniency allows for code injection.

Apple’s customer-facing permission settings tend to be more stringent than the standard Discretionary Access Control (DAC) principle used in similar cases for Windows (Windows also uses TTC, but these tend to be less visible to end users). Users notice this when they have to give specific permission to use their device’s camera or microphone, for example.

Partially overlapping security

In MacOS, these permissions can be changed via the settings menu’s ‘Privacy & Security’ section. In addition to this so-called sandboxing of apps, Apple also uses Hardened Runtime, which should make apps less susceptible to exploitation. With that, apps on macOS are sometimes ‘doubly’ secured through these partially overlapping systems.

Regardless, Microsoft has enabled such permissions by default for the aforementioned Office apps by setting the com.apple.security.cs.disable-library-validation entitlement to true. This makes it possible, all security measures notwithstanding, to load frameworks, libraries or plug-ins without explicit additional permission. It is precisely this lenient approach of the permission model that makes code injection possible.

At worst, this open doorway leads to leaking sensitive data or the escalation of privileges, according to the researchers.

User convenience over security

Microsoft has patched the vulnerabilities in OneNote, Teams, and its components—which do not use plug-ins anyway. The remaining apps remain unpatched. Microsoft has indicated that they will remain so because the vulnerability would be a ‘low-risk’ one. So, in this case, the company is putting user convenience over security.

According to Cisco Talos, turning off the so-called library validation would not even be necessary because the only plugins the Office apps use are web-based. According to the researchers, Microsoft could just as well close theis loophole. As it stands, Microsoft potentially exposes users to ‘unnecessary risks’, so they say.

The vulnerabilities concern:

CVEApp name
CVE-2024-42220Microsoft Outlook
CVE-2024-42004Microsoft Teams (work or school) (patched)
CVE-2024-39804Microsoft PowerPoint
CVE-2024-41159Microsoft OneNote (patched)
CVE-2024-43106Microsoft Excel
CVE-2024-41165Microsoft Word
CVE-2024-41145Microsoft Teams (work or school) WebView.app helper app (patched)
CVE-2024-41138Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app (patched)

Also read: Thousands of iOS and macOS apps vulnerable to hacking attacks for ten years