Jump to content
  • Sign Up
×
×
  • Create New...

Popular Microsoft apps for Mac at risk of code injection attacks

Pelican Press

By Pelican Press,
in World News

 Share

Recommended Posts

  • Diamond Member
Pelican Press Warlord

Pelican Press 0

Posted
  • Diamond Member
Posted

This is the hidden content, please

Popular
This is the hidden content, please
apps for Mac at risk of code injection attacks

Several

This is the hidden content, please
applications designed specifically for the Apple macOS operating system are at risk of being subverted by malicious actors, according to
This is the hidden content, please
.

Talos researcher Francesco Benvenuto found eight vulnerabilities in widely used

This is the hidden content, please
properties including Excel, OneNote,
This is the hidden content, please
, PowerPoint, Teams and Word.

If exploited, the flaws would enable a threat actor to take advantage of Apple’s permission settings to inject malicious libraries into the vulnerable apps and gain control of their entitlements and user permissions.

“Permissions regulate whether an app can access resources such as the microphone, camera, folders, screen recording, user input and more. So, if an adversary were to gain access to these, they could potentially ***** sensitive information or, in the worst case, escalate privileges,” wrote Benvenuto.

How it works

The scope of the problem hinges on how macOS handles third-party app permissions. Usually, operating systems base these policies on the principles of

This is the hidden content, please
(DAC), but this provides very limited protection against vulnerable software or malware running with user or root privileges.

Apple therefore goes further, securing access to some resources using

This is the hidden content, please
(TCC), which requires apps to obtain explicit human consent before accessing protected things such as the microphone, camera and so on.

This consent mechanism manifests to the user as a pop-up, which will be familiar to most Mac owners. That decision is then recorded for future reference, and can be changed via the device Privacy & Security settings in future if wanted.

Now, macOS also includes provisions to stop code injection by requiring apps distributed through the App Store to submit to sandboxing, which restricts access to resources that the app explicitly requests through entitlements – some of which are further governed by the user consent pop-up.

As an example, Benvenuto explained, a properly sandboxed app will prompt for camera access only if it has the camera entitlement set to ‘true’. If that entitlement isn’t present, it won’t be allowed, and the user won’t ever see a pop-up.

Notarised apps – those that have been checked by Apple’s scanners for dodgy components – are also required to enable hardened runtime to make them more resistant to code injection.

These apps, which include all the

This is the hidden content, please
ones in scope of the research, that may need to perform higher risk actions such as loading an untrusted library, must declare that intent through their entitlements. In this case, its developers need to set the disable library validation entitlement to ‘true’.

All together, these features are supposed to work together to provide enhanced protection for Mac users, However, if an attacker is able to inject a malicious code library into the process space of a running application, said library can then use all the permissions that have been granted to it.

So, as demonstrated by the research, the

This is the hidden content, please
apps in scope become vulnerable if they load a library that a threat actor compromised.

Responsible handling

Benvenuto said that to be truly effective – and secure – Apple’s model depends on applications responsibly handling their permissions.

“MacOS trusts applications to self-police their permissions. A ******** in this responsibility leads to a breach of the entire permission model, with applications inadvertently acting as proxies for unauthorised actions, circumventing TCC and compromising the system’s security model. This highlights the importance for applications to implement robust security measures to avoid becoming vectors for exploitation.”

Benvenuto went on to state that the

This is the hidden content, please
apps appear to be using the library validation entitlement to support plug-ins, which should mean plug-ins signed by third-party developers but in this instance, really seems to refer only to
This is the hidden content, please
’s own Office add-ins. He said this raised further questions about why
This is the hidden content, please
needed to disable library validation at all if no external libraries are expected to turn up.

“By using this entitlement,

This is the hidden content, please
is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks,” he wrote.

Eight vulnerabilities

The issues described by the Cisco Talos team have been assigned the following designations:

  • CVE-2024-39804 in
    This is the hidden content, please
    PowerPoint;
  • CVE-2024-41138 in
    This is the hidden content, please
    Teams (work or school) com.
    This is the hidden content, please
    .teams2.modulehost.app;
  • CVE-2024-41145 in
    This is the hidden content, please
    Teams (work or school) WebView.app helper app;
  • CVE-2024-41159 in
    This is the hidden content, please
    OneNote;
  • CVE-2024-41165 in
    This is the hidden content, please
    Word;
  • CVE-2024-42004 in
    This is the hidden content, please
    Teams (work or school);
  • CVE-2024-42220 in
    This is the hidden content, please
    This is the hidden content, please
    ;
  • And CVE-2024-43106 in
    This is the hidden content, please
    Excel.

According to Benvenuto,

This is the hidden content, please
has said it considers these issue to be low risk, and it has supposedly declined to fix some of them because the apps need to allow loading of unsigned libraries to support the Office add-ins.

At the time of writing, both Teams and OneNote have had the problematic entitlement removed and are no longer vulnerable to exploitation. The others remain at risk.



This is the hidden content, please

#Popular #

This is the hidden content, please
#apps #Mac #risk #code #injection #attacks

This is the hidden content, please

This is the hidden content, please

For verified travel tips and real support, visit: https://hopzone.eu/
0

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Vote for the server

    To vote for this server you must login.

    Jim Carrey Flirting GIF

  • Recently Browsing   0 members

    • No registered users viewing this page.

Important Information

Privacy Notice: We utilize cookies to optimize your browsing experience and analyze website traffic. By consenting, you acknowledge and agree to our Cookie Policy, ensuring your privacy preferences are respected.

  I accept