The Cisco Talos Group has discovered eight flaws in Microsoft’s macOS applications security systems that could potentially be exploited by malicious software to gain unauthorized device access. The detected vulnerabilities could enable the evasion of security systems via the existing application permissions. This could potentially lead to actions such as sending emails from user accounts or recording sound or image.
Cisco Talos also pointed out the likelihood of these loopholes being exploited for privilege escalation, leading to access to more sensitive system resources. The analysis below aims to raise awareness of potential threats but also suggests what actions software developers should take to minimize the risk of privacy breaches.
The security policy of most operating systems is by default based on Discretionary Access Control (DAC). It provides only minimal protection against malicious software that operates with user or root privileges.
macOS was designed to strengthen privacy protection. For this purpose, besides the standard DAC policy, access to certain resources is additionally secured by the TCC (Transparency, Consent, Control) protocol, which regulates how applications can gain access to confidential user data and system resources. TCC requires applications to obtain express user consent before accessing protected resources, such as contacts, calendars, photos, and location. This allows users to maintain direct control over application access to their data. The user can later verify this permission in the “Privacy and Security” section.
The macOS system also employs additional security measures to protect users from the injection of code by malicious software. Sandboxing is a key security mechanism here, which isolates applications from the rest of the system, limiting their access to resources and system data.
One of the main problems encountered by Cisco Talos experts was Microsoft’s improper permission management. Permissions are key to securing user data and protecting the system from unauthorized access. One application that contained these holes was Microsoft Word. The vulnerability lay in faults in the implementation of sandboxing mechanisms, which should isolate the application from the rest of the system, thereby preventing access to sensitive data.
Unfortunately, in practice, it turned out that sandboxing could be bypassed, allowing the application to access system resources outside its isolated environment. Although the enhanced runtime library protects against code execution attacks, and the sandbox secures user data and system resources, malicious software could still find ways to access data. It is worth noting that not all sandboxed applications are equally vulnerable to attacks. Usually, a combination of specific permissions or loopholes is necessary for an application to become a suitable attack vector.
Another example was a flaw in the Teams application – commonly used for communication at work or school. Microsoft Teams requires consent to access the camera or microphone. Thus, if a hacker managed to inject malicious code, they could exploit previously granted permissions. The application then becomes a kind of intermediary server, through which unauthorized persons can, for example, eavesdrop on conversations or record video without the user’s knowledge.
Upon identifying the loopholes, Cisco Talos immediately informed Microsoft about the discovery, complying with the standard process of reporting security breaches. This process is especially important as it allows the software producer to plan and implement corrective actions before the information is widely disseminated, providing cybercriminals an opportunity to exploit it. In response, Microsoft prepared and issued an update and conducted an additional security audit of its macOS applications. Although no system is devoid of flaws and security gaps might arise, rapid response, and raising user awareness about app behavior are key in responding to incidents.
The discovery process and Microsoft’s response to Cisco Talos’ report demonstrate the importance of cooperation between cybersecurity experts and software manufacturers. Only through swift response and proactive actions can the risk associated with security gaps be minimized and the safety of users worldwide be ensured. Cisco Talos also recommends organizations and individual users to apply regular updates and additional protective measures such as network monitoring and segmentation and the use of antivirus software.
Source: https://managerplus.pl/powazna-luka-w-zabezpieczeniach-aplikacji-microsoft-na-macos-ryzyko-nieuprawnionego-dostepu-do-kamery-i-mikrofonu-65231