Microsoft apps on Apple macOS susceptible to code injection attacks, find researchers
Popular Microsoft apps designed specifically for Apple’s macOS operating system were found to be susceptible to code injection attacks, according to research published by Cisco Talos.
Researchers found eight vulnerabilities in apps including Excel, OneNote, Outlook, PowerPoint, Teams and Word, that could be exploited by threat actors to take advantage of Apple’s permission settings. These can be leveraged to inject malicious code in vulnerable apps to gain control and access resources including microphone, camera, folders, screen recording, user input and more.
The problem was found to have arisen due to the way macOS handles third-party app permissions.
Usually, operating systems follow a step-by-step process to ensure users have granted permission to third-party apps to access sensitive resources. Apple’s macOS also requires users to grant consent through pop-ups and includes provisions to stop code injection.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
However, since some apps which do not have consent to access sensitive resources in sandboxing, could skip the pop-up.
“MacOS trusts applications to self-police their permissions. A failure in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorised actions,” the researcher said.
Microsoft on its part has said that the issues are “low risk” and has declined to fix some of the apps.