CyberWire Daily - Beyond the permissions wall. [Research Saturday]
Episode Date: September 28, 2024We are joined by Yves Younan, Senior Manager, Talos Vulnerability Discovery and Research from Cisco, discussing their work on "How multiple vulnerabilities in Microsoft apps for macOS pave the way to ...stealing permissions." Cisco Talos has uncovered eight vulnerabilities in Microsoft applications for macOS that could allow attackers to exploit the system's permission model by injecting malicious libraries. By leveraging permissions already granted to these apps, attackers could gain access to sensitive resources like the microphone, camera, and screen recording without user consent. While Microsoft considers these issues low risk and has declined to fix them, the vulnerabilities pose a potential threat to user privacy and security. The research can be found here: How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you i was concerned about my data being sold by data brokers so i decided to try delete me i have
to say delete me is a game changer within days of signing up they started removing my personal
information from hundreds of data brokers i finally have peace of mind knowing my data privacy
is protected delete me's team does all the work for you with detailed reports so you know exactly Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
So one of the researchers on the team was interested in how applications used entitlements on macOS
and started looking at them and found out that there were some
vulnerabilities in the Microsoft applications.
That's Yves Jonnen, Senior Manager with Talos Vulnerability Discovery and Research at Cisco.
The research we're discussing today is titled, How Multiple Vulnerabilities in Microsoft
Apps for macOS P the way to stealing permissions.
Well, it seems to me like this is kind of a story in two parts here. I mean, we've got the foundational part, which is how macOS deals with several layers of security and then the specifics of the Microsoft vulnerabilities
that you all looked into here.
Can we start with the macOS side of things?
Can you take us through the specific ways
that macOS handles these layers of security?
It's kind of unique.
Yes, it is.
So traditionally, in a regular operating system or in a traditional operating system permission environment,
what you have is you have user permissions and when you have that permission of that user, you can do whatever that user can do.
So macOS has added, and iPhone does this as well, has added extra permissions to access sensitive resources or do certain sensitive tasks.
And they do this by enforcing a permission level on applications itself rather than on the user. So when I run an application that wants to access my microphone, that application has
to have, first of all, declared an entitlement that it wants to access that microphone.
And then the user has to give it explicit permission to do that once the application
runs.
And additionally, there's some sandboxing that goes on as well?
Yeah.
So if you download an app from the App Store,
it is sandboxed in preventing it from doing certain actions on your system.
If you download it from somewhere else, it is not necessarily sandboxed.
But if it's notarized by Apple, it does have to have hardened runtime enabled.
And hardened runtime makes sure that the application
is less susceptible to attacks from other applications.
And so given these standards
within how macOS handles this,
what does that mean to the end user themselves?
But then also, what does it mean for the developer?
So the developer has to declare the entitlements that they want.
If they go through the App Store, that goes through Apple's process.
And it is sandboxed.
If they don't go through the App Store,
but don't want to be listed as an unverified developer.
So if they want to be notarized by Apple,
they have to, again, declare the entitlements they want
and enable hardened runtime.
So that's for the developer side.
So you have to declare these entitlements because if you don't,
you can't even ask for permission.
So for example, you can't even ask for permission to access the microphone
if you don't have that entitlement in your application.
For users, it means that when you start an application,
it will often say, oh, I need access to the microphone.
Are you willing to grant that? And if you say yes, that is stored
within the operating system
so it doesn't ask you every time
in what's called a TCC database.
Well, there's another aspect of this that you all point out
and that's library injection.
Can you go through and describe to us what that means?
So library injection is an entitlement that you can,
well, if you enable a hardened runtime
in an application,
you cannot inject libraries
into that application.
That means you cannot load code
that is not signed
by the application developer
or by Apple.
There is an entitlement
called disable library verification,
which enables the application to load unsigned code into its address space.
And so what are the implications of that?
So usually an application would do that if they need to load plugins or something.
an application would do that if they need to load plugins or something.
But in this case, an attacker could also abuse it by loading foreign code into that application
and then reusing the permissions that it has.
So for example, as I mentioned a couple of times, microphone access.
So if a user has granted that to a specific application,
if you load code into that application, you can reuse that permission.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now?
compliance controls right now, like right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this, more than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to
vanta.com slash cyber. That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when
executives are compromised at home, your company is at risk. In fact, over one-third of new members
discover they've already been breached. Protect your executives and their families 24-7, 365
with Black Cloak. Learn more at blackcloak.io.
Well, let's dig into the Microsoft apps themselves.
Take us through what you found here.
So we looked at eight applications for Microsoft.
So the typical Office applications, Outlook, PowerPoint, Excel, Word,
and so on. We also looked at the Teams application. And so essentially all of them had that hard and runtime enabled, but also had the disable library verification entitlement also enabled. So that meant that we could load foreign code
into those applications and thus could
reuse the permissions that those applications
had. So for example, in the Teams application, it
would request access to the microphone and the camera.
And because of the way that it loaded libraries,
we were able to then inject our own code into the application space
and reuse those without specifically asking for those entitlements
in our own application.
Now, you all reached out to Microsoft,
and they said that they didn't think that this was a problem, that they felt like they needed this functionality for plugins.
So they patched four out of the eight applications.
So they patched three issues in Teams and in OneNote.
OneNote. The other four applications, so Excel, PowerPoint, Word, and Outlook, they said that it was required for plugins to work. And they considered it low risk. Do you agree with that
assessment? Well, there is. So you do have to be able to, as an attacker, run code on the device.
So you do have to be able to, as an attacker, run code on the device.
So there is an aspect of getting to that action.
But it bypasses the entire security model in the sense that these permissions that you have on macOS restrict what applications can do.
And so I wouldn't consider it low risk. permissions that you have on macOS restrict what applications can do.
And so I wouldn't consider it low risk.
I would go with medium risk.
Well, and it's interesting, too, because I guess given the ubiquity of Microsoft apps on people's computers here,
I mean, that's a pretty wide, pretty broad potential attack path for folks.
Yes.
What are your recommendations then for folks to best protect themselves here?
So essentially, be careful with what you download in the sense that since you cannot be 100% sure that you can rely on the protections that the operating system is offering.
So be careful with what you download.
Unverified applications that have not gone through the notarization process or that weren't downloaded
from the App Store, you should think twice
before simply executing them.
It doesn't necessarily mean they're malicious,
but do that extra verification.
So just so I understand and I'm clear here,
is a possible scenario that,
let's say I have a Microsoft suite of applications
installed on my macOS computer,
and I install some other third-party app that is malicious,
that third-party app could check to see if I have the Microsoft suite installed
and then take advantage of this potential vulnerability?
Yes. So that app could then say,
use the privileges that you've given to those Microsoft applications,
camera, microphone,
and just reuse them without the user being prompted
that that application wants those permissions.
Even worse is if that application then requests those permissions,
it would come from that application.
So let's say PowerPoint does
not have microphone access because you've never used a microphone with PowerPoint.
If at that point you do try to access it to the user, it would look like PowerPoint is asking for
those permissions.
Thank you. We'll have a link in the show notes. We'd love to know what you think of this podcast.
Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity.
If you like our show, please share a rating and review in your podcast app.
Please also fill out the survey in the show notes or send an email to cyberwire at n2k.com.
We're privileged that N2K Cyber Wire is part of the daily routine of the most influential leaders and operators
in the public and private sector,
from the Fortune 500 to many of the world's
preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies
to optimize your biggest investment, your people.
We make you smarter about your teams
while making your team smarter.
Learn how at n2k.com.
This episode was produced by Liz Stokes.
We're mixed by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Iben.
Our executive editor is Brandon Karp.
Simone Petrella is our president.
Peter Kilpie is our publisher.
And I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to your role. Thank you.