Microsoft Office and Teams applications running on macOS may be susceptible to library injection, which could allow an attacker to exploit their permissions or entitlements, according to Cisco Talos researchers.
The researchers identified “eight vulnerabilities in Microsoft applications for the macOS operating system” that have been assigned common vulnerabilities and exposures (CVE) numbers.
However, they noted that Microsoft considers the identified issues to be “low risk” and had “declined to fix” them.
The researchers said their interest was in “the ability to inject a library and exploit the permissions or entitlements of other applications.”
“Library injection, also known as Dylib Hijacking in the context of macOS, is a technique whereby code is inserted into the running process of an application,” the Cisco Talos researchers said in a blog post.
“macOS counters this threat with features such as hardened runtime, which reduce the likelihood of an attacker executing arbitrary code through the process of another app.
“However, should an attacker manage to inject a library into the process space of a running application, that library could use all the permissions already granted to the process, effectively operating on behalf of the application itself.”
In the case of Microsoft’s productivity suite, application permissions typically granted include access to “the microphone, camera, folders, screen recording, user input and more”.
“Elevated permissions given to applications could be hijacked, potentially turning these apps into conduits for unauthorised access to sensitive resources,” the researchers said.
“If an adversary were to gain access to these, they could potentially leak sensitive information or, in the worst case, escalate privileges.”
The researchers said that entitlements – permissions – differed between Microsoft applications.
“This means that the impact of injecting a library into one of the apps varies depending on which specific app is compromised,” they said.
Applications that had the com.apple.security.cs.disable-library-validation entitlement active were seen as “potentially risky” and susceptible to the library injection conditions outlined by the researchers.