8 Security Flaws Discovered in macOS Operating System for Microsoft Applications

8 vulnerabilities have been discovered in macOS operating system Microsoft apps by researchers from Cisco Talos. These vulnerabilities allow a malicious actor to bypass the permission model of the OS using existing permissions without further user verification. Exploiting these vulnerabilities could give an attacker privileges within the targeted application, such as sending emails, recording video and audio, or capturing images. Microsoft has categorized these vulnerabilities as low risk and has chosen not to address them.

“Security teams should be on high alert due to the vulnerabilities in Microsoft’s macOS apps that could lead to potential breaches,” says Eric Schwake, Director of Cybersecurity Strategy at Salt Security. “These vulnerabilities permit malicious code injection, potentially allowing attackers to take control of user-granted permissions and access sensitive resources like cameras, microphones, and screen recordings without user consent. Despite Microsoft downplaying the risk, the possibility of unauthorized surveillance and data exfiltration is considerable. Taking immediate action is crucial, so security teams need to prioritize updating vulnerable apps, enforcing strict access controls, and considering additional security measures like limiting app permissions to mitigate these risks.”

Jason Soroko, Senior Vice President of Product at Sectigo, adds, “This should not become a recurring issue. Undermining Apple’s security measures goes against the reasons why people choose that ecosystem. This scenario emphasizes the importance of security teams critically evaluating the entitlements and permissions granted to applications, even if users do not. Immediate steps should involve reviewing and tightening app permissions, implementing monitoring for unusual activity, and urging users to update their software promptly when patches are released. Additionally, cooperation between software vendors and Apple to ensure proper implementation of security features without compromising functionality is essential.”