Microsoft 365 on macOS users at risk from hackers, but Redmond may underestimate threat

Microsoft deemed the vulnerabilities low risk for others despite persistent threats

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • Eight vulnerabilities in Microsoft 365 apps on macOS challenge Apple’s security reputation.
  • These flaws could grant unauthorized access to sensitive system resources.
  • Microsoft fixed some issues but left others unaddressed, considering them low risk.
macOS, MS365

Apple has a reputation for building a closed yet safe operating system environment, so much so that safety has become the Apple makers’ trademark.

But, a recent report tells a different story: at least eight vulnerabilities were discovered across Microsoft 365 productivity apps, which could be exploited to hijack app permissions and entitlements.

Cisco Talos has uncovered its findings in a recent report. The Maryland-based cybersecurity firm said that these eight vulnerabilities involve the injection of malicious libraries into apps like Microsoft Outlook, Teams, PowerPoint, OneNote, Excel, and Word, and bypassing macOS’ permission model.

Then, once bypassed, these vulnerabilities could give bad actors unauthorized access to sensitive parts of the system like the camera, microphone, and files.

While Microsoft did address the issue in some apps, they deemed the vulnerabilities low risk for others, which led to them not applying a full fix across all affected applications.

“Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the report reads, although, despite that, these flaws do present big security risks.

Apple’s security model for macOS is based on a permission system that uses the Transparency, Consent, and Control (TCC) framework. This system requires user permission for apps to access sensitive resources like contacts, photos, and microphones, based on “entitlements” that developers enable for their apps. Once set, these permissions remain in place unless manually changed by the user.

That means, still, even though macOS’ security system is designed to protect your personal information by asking for your permission before apps can access them, can be weakened if certain apps have vulnerabilities.

Back in 2021, Microsoft discovered a macOS vulnerability, “Shrootless,” allowing attackers to bypass System Integrity Protection (SIP), which Apple has since patched. At its peak, the flaw let attackers bypass the security feature that restricts root users from making changes that could compromise the system, such as installing malicious software or altering system files.

User forum

0 messages