Security Management

App Permission Bypass Possible with Flaws in Microsoft Apps for macOS

Pictured: The Microsoft logo is seen Feb. 26, 2019, outside its booth at the GSMA Mobile World Congress 2019 in Barcelona. Researchers at Orca Security found four Microsoft Azure services that were vulnerable to Server-Side Request Forgery (SSRF), a web security flaw that remains prevalent and poses an ongoing threat to cloud environments.   (Photo...

SC Media reports that Microsoft Outlook, Teams, Word, Excel, PowerPoint, and OneNote for macOS were impacted by eight security flaws, which could be utilized to evade available app permissions in the operating system even without further user verification.

Exploitation of the vulnerabilities could provide additional privileges that enable covert email delivery, photo capturing, and audio and video recording activities, according to Cisco Talos researchers, who identified and reported the issues to Microsoft. While Microsoft refused to remediate the "low risk" bugs, such flaws — which significantly increase the risk of malicious code injection injections, data exfiltration, and surveillance — should prompt organizations to focus on robust access controls, app permission restrictions, and app updates, said Salt Security Director of Cybersecurity Strategy Eric Schwake.

Such issues were also noted by Sectigo vice president of Product Jason Soroko to highlight the importance of Microsoft app permission and entitlement evaluation among security teams, as well as coordination between software vendors and Apple.

You can skip this ad in 5 seconds