.png)
1 month ago
4
Security experts are warning millions of Apple Mac users to protect themselves after they found hackers can use apps to spy on people.
Cybersecurity group Cisco Talos discovered eight vulnerabilities in several Microsoft apps, including Teams, Outlook, Word and PowerPoint, this week that can allow cybercriminals to gain access to your computer.
The company warned Apple users that hackers are injecting malicious codes into the apps, allowing them to take over the user-granted permissions that give the apps access to the microphone and camera.
Although Apple's macOS systems have security measures in place to protect users from bad actors, they can still inject malicious codes using malware - software that's designed to gain unauthorized access to a device.
Security experts are warning millions of Apple users to protect themselves after they found hackers can use Microsoft apps to spy on people
The vulnerability was uncovered on Microsoft macOS apps that use Transparency Consent and Control (TCC) to manage users' permissions to access location services, photos and folders and screen recordings.
Cisco Talos found that the TCC framework gives hackers a gateway to steal the app permission and take over the device.
If hackers gained access through Microsoft's apps, they could send emails from the users' accounts without them noticing as well as take pictures, and record audio clips and videos.
They could also leak sensitive information or escalate privileges, granting them access to other personal data and system privileges.
'We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system's permission model by using existing app permissions without prompting the user for any additional verification,' Cisco Talos reported.
For those who might be wondering how hackers could access the camera or microphone through apps like Word that don't typically require them to be used, the group explained that 'all apps, except for Excel, have the ability to record audio, some can even access the camera.'
Bad actors reportedly use macOS permission settings to record video or audio secretly without the user's knowledge.
Permissions controls what data apps can access on a user's mobile device that they can allow or deny and change their preference in their settings.
After an app downloads, it will typically send a notification to the user requesting permission to read, modify or delete files, photos and videos, track the user's location and take pictures and record videos.
MacOS's default security policy provides users with minimal protection from malware that's installed without expressly requiring users' permission.
The vulnerabilities are all connected to possible library injections that macOS attempts to safeguard users against using Hardened Runtime - a system that is supposed to prevent hackers from downloading malicious codes onto the system.
However, Cisco Talos claimed that Microsoft disabled some of Hardened Runtime's features so third-party companies could add social media sharing buttons, contact forms and other analytics tools.
If hackers gained access through Microsoft's apps, they could send emails from the users' accounts including Teams, Outlook, Word and PowerPoint without them noticing as well as take pictures, and record audio clips and videos
Despite Microsoft's alleged claims that it is imperative to allow third-party access to user permission, Cisco Talos reported that it isn't necessary because 'as far as we know, the only 'plug-ins' available to Microsoft's macOS apps are web-based and known as 'Office add-ins.'
'If this understanding is correct, it raises questions about the necessity of disabling library validation, especially if no additional libraries are expected to be loaded,' Cisco Talos continued.
'By using this entitlement, Microsoft is circumventing the safeguards offered by the hardened runtime, potentially exposing its users to unnecessary risks.'
A Microsoft spokesperson told DailyMail.com: 'The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system.
'However, we have implemented several updated for added protection, as detailed in the report. As best practice, customers should keep their software updated and regularly review application permissions.'
Cisco Talos reported that Microsoft updated its Teams and OneNote apps on macOS but didn't update the validation requirements on Excel, PowerPoint, Word and Outlook.
The company warned that by leaving these doors open to adversaries, Microsoft is allowing hackers to 'exploit all of the apps' entitlements and, without any user prompts, reuse all the permissions already granted to the app, effectively serving as a permission broker for the attacker.'
DailyMail.com has reached out to Microsoft for comment.
English (US)