Microsoft applications such as Word, Excel, Outlook, and Teams are so integral and widely used that they are nearly indispensable, whether you’re using a Windows PC or a Mac. However, these same apps have become a prime target for hackers on Apple Macs due to an unresolved security issue. A cybersecurity research group has identified a flaw in Microsoft apps on Macs that could potentially give hackers access to your photos, videos, contacts, and other sensitive information. Alarmingly, Microsoft does not view this as a significant enough issue to address.


Cisco Talos, the cybersecurity research group, has uncovered vulnerabilities across several Microsoft apps including Excel, OneNote, Outlook, PowerPoint, Teams, and Word. These flaws enable attackers to inject harmful libraries into the applications, thereby gaining unauthorised access to the apps' permissions and user-provided entitlements.


ALSO READ | Google Pixel 9 Review: With AI Features THIS Fun, You Can Excuse The iPhone-y Design


Why Is It Dangerous?


To grasp why this is problematic, let us first understand macOS's security framework. Mac devices use a permission-based system governed by the Transparency, Consent, and Control (TCC) framework. Whenever you install a new app, you are prompted to give permission for its operation. Similarly, if an app needs to access sensitive data like contacts, photos, or your webcam, you are asked to approve or deny this access.


This framework is designed to ensure that you are aware of and trust the apps accessing your private information. Apple restricts access to sensitive data to only those apps that have the necessary entitlements — authorisation from Apple to request such access. Apps lacking these entitlements cannot request sensitive information from you.


However, the Microsoft apps in question possess these entitlements, and the identified security flaw enables hackers to bypass the usual permission prompts and gain access to your sensitive data.


The researchers said, "We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification."


It added, "All apps, except for Excel, can access sensitive data like your emails and web activity," the group adds.


Will It Be Fixed?


Microsoft considers the security flaws "low risk" and has declined to fix them in some apps. Cisco Talos research group said, "Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues."


Microsoft has updated the Teams and OneNote apps on macOS to modify their handling of the library validation entitlement. Despite this, Excel, PowerPoint, Word, and Outlook continue to be susceptible to the vulnerability.


Microsoft spokesperson told Fox News, "The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system. However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions."