close
close
DMIACA

Microsoft apps on macOS could be your biggest privacy threat

Microsoft apps like Word, Excel, Outlook, and Teams are so popular (and useful) that they’re almost a must-have, whether you’re using a Windows computer or a Mac. However, these apps may become a hacker’s paradise on Apple Macs due to an unpatched vulnerability.

A cybersecurity research group has revealed that Microsoft apps on Mac have a security flaw that could allow hackers to access your photos, videos, contacts and almost all of your private data.

The worst part is that Microsoft doesn't consider this a big enough threat to be patched.

GET SECURITY ALERTS AND EXPERT ADVICE — SUBSCRIBE TO KURT’S NEWSLETTER — THE CYBERGUY REPORT HERE

Microsoft application 1

Microsoft advertising. (Microsoft)

Vulnerabilities in Microsoft applications expose users to unauthorized access to data

The Cybersecurity Research Group Cisco Talos discovered security vulnerabilities in Excel, OneNote, Outlook, PowerPoint, Teams, and Word. These vulnerabilities allow attackers to inject malicious libraries into these applications, giving them access to application permissions and user-granted rights.

To understand why this is dangerous, let’s first look at the macOS framework. Mac devices run on a permission-based system and rely on the Transparency, Consent and Control (TCC) framework. You’ve probably noticed that every time you download a new app, you’re asked to grant permission for it to run. Similarly, when an app wants to access sensitive information like contacts, photos, or webcams, you’re asked to allow or block access.

This system ensures that you know and trust the apps that have access to your private information. However, Apple doesn't allow just any app to request access to sensitive data: only those with the appropriate permissions—that is, apps that Apple has authorized to make such requests—can do so. Apps that don't have these permissions won't ask you for permission to access sensitive data.

The Microsoft applications mentioned above have these rights, and the security flaw they contain allows hackers to bypass the permission requests and access your sensitive information.

“We have identified eight vulnerabilities in various Microsoft applications for macOS that could allow an attacker to bypass the operating system's permission model by leveraging existing application permissions without prompting the user for additional verification,” the researchers explain.

For example, a hacker could design malware to read your emails or view your browsing history without you even knowing. “All applications except Excel can access sensitive data such as your email and web activity,” the group adds.

Mac

Macs on a desk. (Kurt “CyberGuy” Knutsson)

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

Is Microsoft working on a fix?

Microsoft considers these security vulnerabilities to be “low risk” and has declined to patch them in some applications. “Microsoft considers these issues to be low risk and that some of its applications, it says, must allow unsigned libraries to be loaded to support plugins and has declined to patch the issues,” Cisco Talos Research Group said.

Microsoft has updated the Teams and OneNote apps on macOS to change how they handle the library validation right. However, Excel, PowerPoint, Word, and Outlook remain vulnerable to the exploit.

Cisco Talos did not provide any concrete examples of how this vulnerability could be exploited in real-world attacks. The company also did not confirm whether hackers have ever used the flaw to access sensitive user information.

laptop

A woman working on her Mac laptop. (Kurt “CyberGuy” Knutsson)

NEW RUSSIAN THREAT TARGETS OVER 100 APPLE MACOS BROWSER EXTENSIONS

Microsoft and Apple's response

We reached out to Microsoft and a company spokesperson provided the following statement:

“The cases disclosed do not pose a significant security risk, as the technique described requires the attacker to already have some level of access to the system. However, we have implemented several updates for increased protection, as outlined in the report. As a best practice, customers should keep their software up to date and regularly review application permissions.”

We also contacted Apple but did not receive a response within the time frame.

What can you do to protect your data?

There's not much you can do to protect yourself in this situation unless Microsoft patches the vulnerability. However, below are some steps you can take to minimize the risk.

1. Keep your apps up to date: Check regularly Updates to your Microsoft apps through the Mac App Store or the Microsoft AutoUpdate tool. While not all vulnerabilities are necessarily fixed, updates often include important security fixes that reduce your risk of exploitation.

2. Limit permissions: Go to your macOS settings and check the permissions granted to Microsoft apps. Turn off access to sensitive data like your camera, microphone, contacts, and calendar unless absolutely necessary. For example, if you rarely use the camera in Teams, you can revoke its access. Here's how:

  • Click on the Apple Menu in the upper left corner of your screen and select “System Settings”.
  • In the System Settings window, scroll down and select “Privacy and Security” from the sidebar.
  • In the Privacy & Security section, you will find different categories such as Camera, microphone, contacts and calendars. Click on each category to see which apps have access to it.
  • For each category, search for Microsoft apps (e.g. Microsoft Teams, Outlook) and uncheck them to revoke access if it is not necessary. For example, if you rarely use the camera in Teams, you can uncheck it in the Camera section.
  • Close the System Settings window to save your changes. Apps will no longer have access to the specified data unless you allow them again later.

For earlier versions of macOS, the steps to limit permissions for Microsoft apps are slightly different. Here's how to do it:

  • Click on the Apple Menu in the upper left corner of your screen and select “System Preferences”
  • In the System Preferences window, click “Security and privacy.
  • In the Security & Privacy window, navigate to the “Confidentiality” tongue.
  • In the left sidebar you will see different categories such as Camera, microphone, contacts and calendars.
  • Click on each category to see which applications have access.
  • To make changes, you may need to click the button lock icon in the lower left corner and enter your administrator password.
  • Find the Microsoft Applications (e.g. Microsoft Teams, Outlook) and uncheck them to revoke access if not required.
  • Close the Security and Privacy window to save your changes. Apps will no longer have access to the specified data unless you allow them again later.

These steps help ensure that Microsoft apps on your macOS have limited access to sensitive data, improving your privacy and security.

3. Consider alternatives: If you are concerned about security, consider using other office software that is less susceptible to these vulnerabilities. Apple’s suite of productivity apps, including Pages, Numbers, and Keynote, are designed specifically for macOS and offer robust security features. These apps can serve as viable replacements for Word, Excel, and PowerPoint, respectively.

Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets, and Slides that are accessible from any device and offer strong security measures. By choosing these alternatives, you can reduce the risk of unauthorized data access and maintain greater control over your personal information.

4. Use powerful antivirus software: The best way to protect yourself from malicious links that install malware and can potentially access your private information on your Mac is to install antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Check out my picks for the best antivirus protection winners of 2024 for your Windows, Mac, Android, and iOS devices.

MASSIVE SECURITY FLAW ENDANGERS MOST POPULAR BROWSERS ON MAC

Kurt's Key Takeaway

While Microsoft apps like Word, Excel, Outlook, and Teams are essential tools for many, their vulnerabilities on macOS pose significant security risks. This discovery shows how these apps can be exploited to access sensitive data without your consent. Despite the seriousness of these findings, Microsoft’s decision not to address all of the vulnerabilities leaves you in a precarious position. It’s critical that you remain vigilant by updating your apps, limiting permissions, and considering alternative software solutions to protect your data. As technology evolves, so do threats, making it critical that you prioritize security.

How should Microsoft take responsibility for ensuring your security and privacy in light of the vulnerabilities identified in its applications? Let us know by writing to us at Cyberguy.com/Contact

For more tech tips and security alerts, subscribe to my free CyberGuy Report newsletter by visiting Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you'd like us to cover.

Follow Kurt on his social networks:

Answers to the most frequently asked questions about CyberGuy:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

Related Articles

Back to top button