Tech

Microsoft “declined” to fix flaws that allow hackers to spy on Mac users

Anurag Singh
Microsoft logo next to a stock image of a hacker wearing a headsetPexels / Microsoft

A vulnerability found in Microsoft apps allows hackers to spy on your Mac. These apps can be abused to record video and sound from your device, access sensitive data, and escalate privileges, according to a report.

Cybersecurity group Cisco Talos found a major flaw in Microsoft’s macOS apps like Outlook, Word, Teams, OneNote, and Excel. This vulnerability lets attackers inject malicious libraries into these apps, giving them access to the apps’ permissions and user-granted entitlements.

Apple’s macOS framework is permission-based and relies on the transparency, consent, and control (TCC) framework. This means that macOS will request your permission to run new apps and display prompts when apps want to access sensitive information such as contacts, photos, webcams, etc.

MacBook Air M2Unsplash

However, before apps can ask for these permissions, they need what Apple calls entitlements.

Microsoft apps have these entitlements, and the security flaw in them allows hackers to bypass permission requests and access your sensitive information.

“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” Cisco Talos researchers explain.

Cisco Talos didn’t provide a working exploit for how this issue could be abused in real-world attacks, nor did they confirm if hackers have used it to access users’ sensitive information.

Microsoft has updated Teams and OneNote apps for macOS with changes to how these apps handle the library validation entitlement. However, Excel, PowerPoint, Word, and Outlook are still vulnerable to the exploit.

The Redmond-based company doesn’t consider it big enough of a threat to fix.

“Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the Cybersecurity group said.

Subscribe to our newsletter for the latest updates on Esports, Gaming and more.