Researchers from Cisco Talos have discovered 8 vulnerabilities in macOS operating system Microsoft apps. Through these vulnerabilities, a malicious actor can bypass an operating system’s permission model via existing permissions without requiring additional verification from the user. Successful attacks could grant a malicious actor any privilege already gained in the targeted application, such as sending emails, recording video and audio, or capturing pictures. According to the research, Microsoft considers these vulnerabilities to be a low risk and have declined to fix the issues.
“Security teams must remain vigilant as there are vulnerabilities in Microsoft’s macOS apps that could lead to potential breaches,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “These vulnerabilities allow for malicious code injection, potentially enabling attackers to hijack user-granted permissions and access sensitive resources such as cameras, microphones, and screen recordings without user consent. Despite Microsoft downplaying the risk, the potential for unauthorized surveillance and data exfiltration is significant. Taking immediate action is crucial, so security teams should prioritize updating vulnerable apps, enforce strict access controls, and consider additional security measures such as restricting app permissions to mitigate these risks.”
Jason Soroko, Senior Vice President of Product at Sectigo, comments, “This is not something that should become a trend. Overcoming Apple’s security undermines why people buy into that ecosystem. This situation underscores the need for security teams to assess the entitlements and permissions granted to applications critically, even if users themselves don’t. Immediate actions should include reviewing and tightening app permissions, implementing monitoring for unusual activity, and encouraging users to update their software as soon as patches are released. Moreover, collaboration between software vendors and Apple to ensure security features are properly implemented without compromising functionality is essential.”