Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft apps on MacOS apparently have some serious security flaws

A computer screen showing a spreadsheet in use.

A number of Microsoft productivity apps, built for the macOS operating system, are vulnerable in a way that allows hackers to steal sensitive data, record everything the user is doing on the device, record audio and video, and further escalate privileges.

This is according to a new report from cybersecurity researchers at Cisco Talos, who said the vulnerabilities they discovered revolve around the way permissions are handled on macOS. In layman’s terms, the first time an app needs access to, for example, the microphone, it will ask the user for explicit permission. After that, the access remains enabled until the user, once again, explicitly denies it.

Therefore, by hunting for apps that have already been granted extensive permissions, threat actors can run malicious operations on the target endpoint, the researchers concluded.

Microsoft app flaws

To that end, the team say they have identified eight vulnerabilities affecting six of Microsoft’s applications:

CVE-2024-42220 (Outlook)
CVE-2024-42004 (Teams – work or school) (main app)
CVE-2024-39804 (PowerPoint)
CVE-2024-41159 (OneNote)
CVE-2024-43106 (Excel)
CVE-2024-41165 (Word)
CVE-2024-41145 (Teams – work or school) (WebView.app helper app)
CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)

While this may seem to be a major concern, Microsoft is under a different impression. The company told the researchers that there are too many variables, making exploiting these flaws highly unlikely.

As a result, the company has no plans to patch the flaws, stating, "Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the researchers said in the blog post.

However The Register has reported Microsoft has updated its Teams apps, and OneNote, to remove the feature that allowed library injection, which was at the very core of the issue.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.