Cisco Discovers Multiple Security Issues in Office for Mac, Microsoft Deems Them Non-Issues and Refuses Fixes

The cybersecurity team at Cisco, Talos, has unveiled eight security vulnerabilities within Microsoft Office for Mac. These vulnerabilities could allow attackers to record video and audio from user devices, access sensitive data, log user inputs, and escalate privileges.

These vulnerabilities are found in Excel, OneNote, Outlook, PowerPoint, Microsoft Teams, and Word. However, Microsoft has explicitly informed Cisco that it will not address these issues.

Below are the vulnerability numbers and component names:

• CVE-2024-42220 (Outlook)
• CVE-2024-42004 (Teams – work or school) (Main Program)
• CVE-2024-39804 (PowerPoint)
• CVE-2024-41159 (OneNote)
• CVE-2024-43106 (Excel)
• CVE-2024-41165 (Word)
• CVE-2024-41145 (Teams – work or school) (WebView.app helper app)
• CVE-2024-41138 (Teams – work or school) (com.microsoft.teams2.modulehost.app)

Why is Microsoft unwilling to patch these vulnerabilities? After analysis, Microsoft's security team believes these issues pose a very low risk, noting that the applications would need to allow the loading of unsigned libraries to support plugins, which makes exploitation more difficult.

Apple’s security model is permission-based, relying on the transparency, consent, and control framework (i.e., the TCC framework), which should be familiar to seasoned macOS users. This means the system prompts a notification every time a sensitive operation is performed.

The TCC framework is controlled by Apple, allowing certain developers to choose the permissions they need to enable. However, even then, the system will prompt for user consent or denial when invoking permissions like microphone recording.

Moreover, Apple enhances security policies through various means, such as strengthening Runtime, a policy that prevents unauthorized software libraries from running and stops attackers from executing code via compromised applications.

The issue with Office is that Microsoft is among the few developers authorized by Apple to disable the enforced Runtime, allowing Office to bypass library validation. Attackers, under specific conditions, can exploit this to load untrusted libraries by combining vulnerabilities between software.

The controversy lies in the precondition for launching attacks via Office, which requires circumventing Office plugins. Cisco researchers argue that Apple should not allow third-party developers to disable enforced protection and run third-party plugins, implying that Apple should mandate validation for all libraries.

Cisco has not provided any practical examples of such attacks, indicating that, at least for now, no hackers have exploited these vulnerabilities.

Ultimately, while Microsoft has labeled the risk as low and refused to issue fixes, it did update Microsoft Teams and OneNote to mitigate the risk of library injections, but other Office components remain unpatched.