A cadre of eight newly identified vulnerabilities has been discovered within Microsoft’s suite of macOS applications, presenting a potential avenue for malicious entities to acquire elevated privileges or unfettered access to sensitive information by circumventing the operating system’s permission-based structure, specifically the Transparency, Consent, and Control (TCC) framework.
“Should these flaws be successfully exploited, adversaries could commandeer any privileges previously conferred upon the compromised Microsoft applications,” Cisco Talos disclosed. “This could manifest in scenarios where an attacker surreptitiously dispatches emails from the user’s account, records audio segments, captures images, or even records video, all without the user’s awareness or interaction.”
The vulnerabilities are distributed across several widely-used applications, including Outlook, Teams, Word, Excel, PowerPoint, and OneNote.
According to the cybersecurity firm, hostile actors could inject malicious libraries into these applications, thereby inheriting the permissions and entitlements granted by the user. These hijacked privileges could then be leveraged to extract confidential information, contingent upon the level of access afforded to each respective application.
The TCC framework, developed by Apple, serves as a safeguard to manage access to sensitive user data on macOS, offering users enhanced visibility into how their data is accessed and utilized by various applications installed on their systems.
This framework is enforced via an encrypted database that meticulously records the permissions granted by the user to each application, thereby ensuring that these preferences are uniformly applied across the operating system.
“TCC operates in tandem with macOS and iOS’s application sandboxing feature,” explains Huntress in their TCC exposé. “Sandboxing limits an application’s access to the system and other apps, adding a supplementary layer of security. TCC guarantees that applications can only access data for which they have received explicit user consent.”
Sandboxing also acts as a deterrent against code injection attacks, which enable threat actors with access to a machine to implant malicious code into legitimate processes, subsequently gaining access to protected data.
“Library injection, colloquially referred to as Dylib Hijacking in macOS contexts, is a method by which code is inserted into the running process of an application,” elucidated Talos researcher Francesco Benvenuto. “macOS mitigates this threat through features like hardened runtime, which diminishes the probability of an attacker executing arbitrary code via another application’s process.”
“However, if an attacker were to succeed in injecting a library into the process space of an active application, that library could exploit all the permissions already granted to the process, effectively acting on behalf of the application itself.”
It’s important to note, however, that attacks of this nature necessitate the threat actor to already possess a certain degree of access to the compromised host. This access could then be exploited to open a more privileged application and inject a malicious library, thereby acquiring the permissions associated with the exploited app.
In essence, if a trusted application is infiltrated by an attacker, it could be manipulated to abuse its permissions and illicitly access sensitive information without the user’s consent or knowledge.
This type of breach could occur when an application loads libraries from locations that an attacker could potentially tamper with and has disabled library validation through a hazardous entitlement (e.g., set to true), which would otherwise limit the loading of libraries to those signed by the application’s developer or Apple.
“macOS trusts applications to self-govern their permissions,” Benvenuto remarked. “A lapse in this responsibility leads to a collapse of the entire permission framework, with applications inadvertently serving as conduits for unauthorized actions, circumventing TCC and undermining the system’s security model.”
Microsoft, for its part, has classified the identified issues as “low risk,” noting that the applications are designed to load unsigned libraries to support plugins. Nonetheless, the company has undertaken remedial measures, particularly in its OneNote and Teams applications.
“The vulnerable apps create a gateway for adversaries to exploit all the app’s entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively functioning as a permission broker for the attacker,” Benvenuto elaborated.
“It’s also worth mentioning that there is currently no clear guidance on how to securely manage such plugins within macOS’s existing framework. Notarization of third-party plugins is one potential solution, albeit a complex one, requiring Microsoft or Apple to sign third-party modules after rigorous security verification.”