Security experts are warning millions of Apple Mac users to protect themselves after discovering that hackers can use apps to spy on people.
Cybersecurity group Cisco Talos this week discovered eight vulnerabilities in several Microsoft applications, including Teams, Outlook, Word and PowerPoint, that can allow cybercriminals to gain access to your computer.
The company has warned Apple users that hackers are injecting malicious code into apps, allowing them to take over permissions granted to users that give apps access to the microphone and camera.
While Apple’s macOS systems have security measures in place to protect users from malicious actors, they can still inject malicious code through malware, software designed to gain unauthorized access to a device.
Security experts are warning millions of Apple users to protect themselves after discovering that hackers can use Microsoft apps to spy on people.
The vulnerability was discovered in Microsoft macOS applications that use Transparency, Consent, and Control (TCC) to manage user permissions to access location services, photos, folders, and screen recordings.
Cisco Talos discovered that the TCC framework provides hackers with a gateway to steal app permission and take over the device.
If hackers gained access through Microsoft applications, they could send emails from users’ accounts without them realizing it, as well as take photos and record audio and video clips.
They could also leak sensitive information or escalate privileges, granting them access to other personal data and system privileges.
‘We identified eight vulnerabilities in multiple Microsoft applications for macOS, through which an attacker could bypass the operating system’s permissions model by using existing application permissions without prompting the user for any additional verification,’ Cisco Talos reported.
For those wondering how hackers could access the camera or microphone through applications like Word that don’t normally require their use, the group explained that “all applications except Excel have the ability to record audio, some can even access the camera.”
Malicious actors are reportedly using macOS permission settings to secretly record video or audio without the user’s knowledge.
Permissions control what data apps on a user’s mobile device can access, which they can allow or deny and change their preferences in their settings.
After an app is downloaded, it will typically send a notification to the user requesting permission to read, modify, or delete files, photos, and videos, track the user’s location, and take photos and record videos.
The default macOS security policy provides users with minimal protection against malware that is installed without expressly requiring users’ permission.
All of the vulnerabilities are linked to potential library injections that macOS attempts to protect users from through Hardened Runtime, a system that is supposed to prevent hackers from downloading malicious code onto the system.
However, Cisco Talos said Microsoft disabled some of the Hardened Runtime features so that third-party companies could add social sharing buttons, contact forms, and other analytics tools.
If hackers gained access through Microsoft applications, they could send emails from users’ accounts, including Teams, Outlook, Word and PowerPoint, without them realizing it, as well as take photos and record audio and video clips.
Despite Microsoft’s alleged claims that it is imperative to allow third-party access to user permissions, Cisco Talos reported that it is not necessary because “to our knowledge, the only ‘add-ins’ available for Microsoft macOS applications are web-based and known as ‘Office Add-ins.'”
“If this interpretation is correct, it raises questions about the need to disable library validation, especially if no additional libraries are expected to be loaded,” Cisco Talos continued.
‘By using this right, Microsoft is circumventing the protections offered by the hardened execution environment, potentially exposing its users to unnecessary risks.’
The company said Microsoft considers the vulnerabilities to be “low risk” and has apparently “refused to fix the issues.”
After Cisco Talos reported the issues, Microsoft updated its Teams and OneNote apps on macOS, but did not update validation requirements in Excel, PowerPoint, Word, and Outlook.
The company warned that by leaving these doors open to adversaries, Microsoft is allowing hackers to “exploit all of the apps’ entitlements and, without any input from the user, reuse all of the permissions already granted to the app, effectively acting as a permissions broker for the attacker.”
DailyMail.com has contacted Microsoft for comment.
