Microsoft 365 apps for macOS exposed to library injection attacks

A recent discovery by Cisco Talos researchers has revealed a flaw in eight Microsoft 365 apps for macOS that could enable library injection attacks, putting sensitive data at risk. The impacted apps include popular services like Microsoft Teams, Outlook, PowerPoint, and Word.

What is library injection?

Library injection is a type of attack where an attacker injects malicious code into a legitimate application, allowing them to access sensitive data and perform unauthorized actions. In this case, the vulnerability in the Microsoft apps for macOS could allow attackers to bypass the operating system’s permission model and use existing app permissions without prompting the user for any additional verification.

How does the vulnerability work?

The vulnerability is caused by the presence of the <a href="https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_disable-library-validation" target="_blank" rel="noopener">com.apple.security.cs.disable-library-validation</a> entitlement in the affected apps. This entitlement allows the loading of plug-ins signed by third-party developers, but it also disables the hardened runtime security feature that is used on the apps. As a result, attackers could inject any library and run arbitrary code within the compromised application, potentially leading to the exploitation of the app’s full set of permissions and entitlements.

Which Microsoft 365 apps for macOS are affected?

The following eight Microsoft 365 apps for macOS are affected by the vulnerability:

• Microsoft Outlook: CVE-2024-42220
• Microsoft Teams (work or school): CVE-2024-42004
• Microsoft PowerPoint: CVE-2024-39804
• Microsoft OneNote: CVE-2024-41159
• Microsoft Excel: CVE-2024-43106
• Microsoft Word: CVE-2024-41165
• Microsoft Teams (work or school) WebView.app helper app: CVE-2024-41145
• Microsoft Teams (work or school) com.microsoft.teams2.modulehost.app: CVE-2024-41138

What is Microsoft doing to fix the issue?

Microsoft has updated four of the apps to remove the vulnerability, including Microsoft Teams’ main app, WebView app, and ModuleHost app, as well as Microsoft OneNote. However, the remaining four apps, including Microsoft Excel, Outlook, PowerPoint, and Word, are still vulnerable as of August 19, 2024.

How can users protect themselves?

To protect themselves from this vulnerability, users can take the following steps:

• Update the affected apps to the latest version.
• Use caution when installing third-party plug-ins or libraries.
• Monitor their app permissions and report any suspicious activity.

Impact of the vulnerability

The vulnerability in the Microsoft 365 apps for macOS could have significant consequences for users. If exploited, attackers could gain access to sensitive data, including emails, documents, and other files. Additionally, attackers could use the compromised app to spread malware or conduct phishing attacks.

Why is library injection a concern?

Library injection is a concern because it allows attackers to bypass the operating system’s permission model and use existing app permissions without prompting the user for any additional verification. This could enable attackers to access sensitive data and perform unauthorized actions without the user’s knowledge or consent.

How can developers prevent library injection attacks?

Developers can prevent library injection attacks by following best practices for secure coding and app development. This includes:

• Validating user input and ensuring that it conforms to expected formats.
• Implementing robust error handling and exception handling mechanisms.
• Using secure protocols for data transmission and storage.
• Regularly updating and patching apps to fix vulnerabilities.

The discovery of this vulnerability highlights the importance of ensuring the security of applications and operating systems. Microsoft and other software vendors must prioritize the security of their products to protect users from potential threats. Users must also take steps to protect themselves by staying informed and taking caution when using third-party plug-ins or libraries.