What security vulnerabilities were identified in Microsoft applications for macOS?

Cisco Talos researchers identified security vulnerabilities in eight Microsoft applications for macOS, potentially exposing users to library injection attacks. These attacks involve injecting malicious code or libraries into legitimate applications, leading to unauthorized access or system compromise.

How do library injection attacks work in this context?

Library injection attacks exploit vulnerabilities that permit loading untrusted libraries in applications, enabling attackers to manipulate the application’s behavior. On macOS, this stems from the com.apple.security.cs.disable-library-validation entitlement, which allows the loading of plug-ins signed by third-party developers, potentially leading to data theft or surveillance.

Which Microsoft applications for macOS are affected?

The vulnerabilities affect Microsoft Outlook (CVE-2024-42220), Microsoft Teams (work/school version) (CVE-2024-42004), Microsoft PowerPoint (CVE-2024-39804), Microsoft OneNote (CVE-2024-41159), Microsoft Excel (CVE-2024-43106), Microsoft Word (CVE-2024-41165), Microsoft Teams WebView.app helper (CVE-2024-41145), and Microsoft Teams com.microsoft.teams2.modulehost.app (CVE-2024-41138).

Is there a patch available for the vulnerable Microsoft applications?

No, there is currently no patch available for the remaining vulnerable applications—Microsoft Outlook, PowerPoint, Excel, and Word. Users will need to wait for an official update from Microsoft.

Advisory

Cisco Talos report vulnerabilities in Microsoft Apps for macOS enabling library injection attack

published: Aug. 19, 2024

Take action: You can't do much about these vulnerabilities. Just keep the applications updated as the new patches are released. Best you can do is be mindful of malware and phishing attacks as vectors for exploiting the library injection vulnerabilities.

Learn More

Cisco Talos researchers have identified security vulnerabilities in eight Microsoft applications for macOS, potentially exposing users to library injection attacks.

Library injection attacks involve inserting malicious code or libraries into a legitimate application, allowing attackers to manipulate the application’s behavior or gain unauthorized access to sensitive resources. This method exploits vulnerabilities that permit loading untrusted libraries, often leading to actions like data theft, surveillance, or system compromise.

These flaws stem from a macOS-specific entitlement named com.apple.security.cs.disable-library-validation, which is enabled in these applications. The entitlement allows the loading of plug-ins signed by third-party developers, but it also opens the door for attackers to inject malicious libraries. Once injected, attackers could perform arbitrary actions within the compromised applications, including sending unauthorized emails, recording audio, or capturing video without the user's knowledge or interaction.

The vulnerabilities are tracked under the following CVE numbers:

Microsoft Outlook: CVE-2024-42220
Microsoft Teams (work or school): CVE-2024-42004
Microsoft PowerPoint: CVE-2024-39804
Microsoft OneNote: CVE-2024-41159
Microsoft Excel: CVE-2024-43106
Microsoft Word: CVE-2024-41165
Microsoft Teams WebView.app helper app: CVE-2024-41145
Microsoft Teams com.microsoft.teams2.modulehost.app: CVE-2024-41138

Microsoft has acknowledged the vulnerabilities but has classified them as low risk, emphasizing the need to load unsigned libraries for plugin support in some applications., Microsoft has updated four applications—Microsoft Teams (main app), WebView app, ModuleHost app, and Microsoft OneNote—to remove the disable-library-validation entitlement. However, as of August 19, 2024, Microsoft Outlook, PowerPoint, Excel, and Word remain vulnerable.

No remediation is possible for the vulnerable applications until a patch is issued.

Cisco Talos report vulnerabilities in Microsoft Apps for macOS enabling library injection attack