Hackers Could Potentially Attain Unrestricted Entry Through New Deficiencies in Microsoft macOS Applications

AndyC 3 September 2024

Researchers have unveiled eight vulnerabilities in Microsoft macOS apps that hackers could exploit to achieve increased privileges or access confidential information by bypassing the permission-based model of the operating system, which centers around

New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access
New Flaws in Microsoft macOS Apps Could Allow Hackers to Gain Unrestricted Access

Researchers have unveiled eight vulnerabilities in Microsoft macOS apps that hackers could exploit to achieve increased privileges or access confidential information by bypassing the permission-based model of the operating system, which centers around the Transparency, Consent, and Control (TCC) framework.

Cisco Talos expressed in a statement, “If successful, bad actors could acquire any privileges that are already authorized to the impacted Microsoft applications. They can, for instance, send emails from the user account imperceptibly, capture audio snippets, capture images, or film videos without any user intervention.”

The deficiencies affect various apps such as Outlook, Teams, Word, Excel, PowerPoint, and OneNote.

The cybersecurity firm stated that malevolent libraries could be inserted into these applications to acquire their rights and user-sanctioned authorizations, which could then be exploited to extract sensitive data based on the permissions assigned to each of these applications.

Cybersecurity

TCC is an Apple-developed framework that administers access to private user records on macOS, providing users with additional visibility into how their information is accessed and handled by different applications installed on the device.

This data is managed through an encrypted database that saves the approvals given by the user to each application to ensure that the choices are consistently enforced across the system.

“TCC works together with the application sandboxing functionality in macOS and iOS,” observed Huntress in its explanation of TCC. “Sandboxing confines an app’s reach to the system and other apps, providing an added layer of protection. TCC ensures apps can only retrieve data for which they have explicit user consent.”

Additionally, sandboxing serves as a defense mechanism against code injection, allowing intruders with host access to inject malicious code into legitimate processes and reach restricted data.

Francesco Benvenuto, a researcher at Talos, mentioned, “Library injection, also referred to as Dylib Hijacking within the macOS context, involves inserting code into an application’s operational process. macOS counters this threat using features like hardened runtime, which lowers the chance of attackers executing arbitrary code through a different app’s process.”

“Nevertheless, if an attacker successfully inserts a library into another app’s running process space, this library can utilize all the permissions previously granted to that process, effectively functioning on behalf of the application itself.”

It’s important to note that these types of attacks require the threat actor to possess a certain level of access to the compromised host to essentially exploit it for opening a more privileged app and introducing a detrimental library, thereby granting them the authorizations linked with the compromised app.

In simpler terms, if a trustworthy app is infiltrated by an attacker, it can be manipulated to misuse its permissions and attain unsolicited entry to confidential data without the users’ authorization or awareness.

This form of breach may arise when an app loads libraries from locations that the attacker could potentially control and has disabled library authentication via a risky privilege (i.e., switched to true), which typically confines library loading to those sanctioned by the app’s developer or Apple.

Cybersecurity

“macOS trusts applications to self-regulate their authorizations,” pointed out Benvenuto. “Any failure in this responsibility leads to a breakdown of the entire permission model, as applications inadvertently act as conduits for illicit actions, evading TCC and jeopardizing the system’s security model.”

Microsoft views the identified concerns as “low risk” and states that these apps need to load unsigned libraries for plugin support. Nevertheless, the company has intervened to fix the issues in its OneNote and Teams applications.

“These vulnerable apps create an opportunity for threat actors to exploit all the apps’ authorizations and, without any user alerts, reuse all the permissions already granted to the app, essentially acting as a permission broker for the attacker,” highlighted Benvenuto.

Benvenuto added, “It’s worth mentioning that determining how to securely handle such plugins within macOS’ current framework is unclear. Verifying the security of third-party plugins through notarization is a possibility, although a complex one that necessitates Microsoft or Apple to approve third-party modules post-security checks.”

Enthralled by this article? For more exclusive content, follow us on Twitter and LinkedIn.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , ,

More Stories

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

WatchGuard Warns of Active Exploitation of Critical Fireware OS VPN Vulnerability

AndyC 20 December 2025
Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

Nigeria Arrests RaccoonO365 Phishing Developer Linked to Microsoft 365 Attacks

AndyC 20 December 2025
New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

New UEFI Flaw Enables Early-Boot DMA Attacks on ASRock, ASUS, GIGABYTE, MSI Motherboards

AndyC 20 December 2025
China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

China-Aligned Threat Group Uses Windows Group Policy to Deploy Espionage Malware

AndyC 19 December 2025
HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

HPE OneView Flaw Rated CVSS 10.0 Allows Unauthenticated Remote Code Execution

AndyC 19 December 2025
ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

ThreatsDay Bulletin: WhatsApp Hijacks, MCP Leaks, AI Recon, React2Shell Exploit and 15 More Stories

AndyC 19 December 2025

You may have missed

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

Containing the Inevitable: What Cyber Leaders Must Prepare for in 2026

AndyC 20 December 2025
The WAF must die – some interesting thoughts – FireTail Blog

The WAF must die – some interesting thoughts – FireTail Blog

AndyC 20 December 2025
The WAF must die – some interesting thoughts – FireTail Blog

The WAF must die – some interesting thoughts – FireTail Blog

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.