A vulnerability found in Microsoft software for Apple’s macOS could allow hackers to spy on MacBook users, cybersecurity experts warned.
Apple’s macOS employs a layered security framework called Transparency, Consent, and Control (TCC) to regulate app access to personal data and system privileges. This model requires explicit user consent before granting an app access to sensitive resources like the microphone, camera, folders, screen recording, and user input, among others.
However, the effectiveness of TCC depends on the integrity of each app. If a trusted app is compromised, the permissions previously granted by the user could be exploited.
According to Cisco Talos, the newly discovered exploit could allow hackers to inject malicious libraries—collections of codes—into Microsoft apps to gain their user-granted permissions.
If hackers gained access through Microsoft apps, they could send emails from the users’ accounts without them noticing, record audio clips, take pictures, or record videos without any user interaction.
Cisco Talos reported eight exploitable applications. Four have since been updated by Microsoft and no longer possess the vulnerability—they are Microsoft Teams, Microsoft Teams helper, Microsoft Teams ModuleHost, and Microsoft OneNote.
However, Microsoft Excel, Microsoft Outlook, Microsoft PowerPoint, and Microsoft Word remain vulnerable.
“All apps, except for Excel, have the ability to record audio, some can even access the camera,” the company noted.
According to Cisco Talos, Microsoft considers this exploit to be “low risk” since its apps for macOS need to circumvent certain safeguards in order to load third-party plug-ins.
In the meantime, the cybersecurity experts urged Apple to implement changes to the TCC to make the permission model more secure. For example, the system should prompt users and allow them to decide whether to load specific third-party plugins into apps they already have granted permissions.
In an emailed statement, a spokesperson for Microsoft said the reported exploits “do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system.”
“However, we have implemented several updates for added protection, as detailed in the report,” the spokesperson said. “As best practice, customers should keep their software updated and regularly review application permissions.”
