back to article Multiple flaws in Microsoft macOS apps unpatched despite potential risks

Cisco Talos says eight vulnerabilities in Microsoft's macOS apps could be abused by nefarious types to record video and sound from a user's device, access sensitive data, log user input, and escalate privileges. The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos it …

  1. druck Silver badge

    Who is surprised that...

    1. Microsoft writes crappy code which requires macOS security features to be disabled run.

    2. The crap code can be exploited by 3rd parties, just like on Windows.

    3. Microsoft doesn't give a shit because it runs on macOS.

    1. Groo The Wanderer

      Re: Who is surprised that...

      At Microsoft, those aren't bugs - they're "features," unfortunately. Some of them have lingered for decades...

  2. Tron Silver badge

    Is it ethical...

    ... to release details of unpatched vulnerabilities?

    1. Jason Hindle Silver badge

      Re: Is it ethical...

      It is certainly motivating.

    2. A random security guy

      Re: Is it ethical...

      Yes, it is ethical. Most White Hat Hackers give a 30 day warning, sometimes more. The hackers mostly know about the vulnerabilities. There may be several reasons you don't see any exploits:

      1. There are other exploits that are available

      2. The hacking industry is working on creating an exploit.

      3. They have already weaponized the exploit but are holding it back.

      4. It is out there, but it hasn't hit you

      5. You haven't noticed that you have been hacked

      6. You are not worth it.

    3. Michael Wojcik Silver badge

      Re: Is it ethical...

      Tell you what. Show us you're familiar with the history of vulnerability disclosure, particularly major events such as the original publication of RFPolicy, and we can debate that question. Do your homework.

  3. david 12 Silver badge

    'plugins from third parties'

    He also highlighted that the only plugins available to Microsoft's macOS apps are Office add-ins, meaning there is no apparent reason to open their apps to running plugins from third parties, as they did through the entitlements.

    What exactly is he talking about? What are 'plugins' in this context, and what plugins are supplied by MS for macOS Office? The reference to "Office add-ins" is confusing, since that category includes many things that are custom development, or only available from third-parties.

    1. Anonymous Coward
      Anonymous Coward

      Re: 'plugins from third parties'

      possibly the ones in windows like "teams addon" in "outlook",

      that outlook disables as it sees it delays start up and outlook thinks it might be malicious,

      "outlook" might be right not to trust microsoft add-ins

      1. david 12 Silver badge

        Re: 'plugins from third parties'

        "Add-ins for outlook for Mac":

        https://support.microsoft.com/en-us/office/get-add-ins-for-outlook-for-mac-2bc12110-1f4c-4bda-aeba-af433d4602e9

        Third parties are listed there.

        The question isn't "what's an add-in for Office for Mac", the question is "is he talking through his ass?"

    2. A random security guy

      Re: 'plugins from third parties'

      I used to write Office add-ins on Windows, which were among the most painful pieces of software I had to write. MS Office allows you to write software that can use Office APIs to create buttons,act on emails, etc. These are called Office add-ins/plugins. You can, for example, write a small program that reads an email from your boss, calls ChatGPT, creates a response, and sends it out. It seems that you can't do it on the MAC.

  4. Anonymous Coward
    Anonymous Coward

    The researcher published too early. More research is needed.

    It's just an unproven hypothesis until somebody writes some proof of concept exploit code and actually makes it work. Then it becomes a vulnerability that needs fixing.

    1. Rich 2 Silver badge

      That’s like waiting for someone to get killed before doing something about that dangerous road junction.

      Clearly (really, there is no argument) the MS code in question is (obviously, because it’s MS) crap, and needs fixing (or preferably deleting). There is no need to wait until “bad things” happen to do this

    2. A random security guy

      "Only if it can be exploited" is a Very weak argument

      Oftentimes, I would get a pushback from a developer or a manager saying: I'll fix this buffer overflow or some other security bug only if you can show it can be exploited.

      The basics of security revolve around building secure components. Writing exploits is a thankless job unless you are in the employ of some a nation state hacking organization or a hacker group. It can take hundreds of thousands of dollars to weaponize a vulnerability. Sometimes you can buy toolchains for known types of vulnerabilities.

      Hacker groups can afford to do it because they can get the ROI by hacking and ransoming systems for millions of dollars. It is profitable for them.

      Pointing out vulnerabilities is the right thing to do.

      Microsoft not fixing their bugs is just business as usual.

      1. Michael Wojcik Silver badge

        Re: "Only if it can be exploited" is a Very weak argument

        Yes. "It's not real until you show me an exploit" is a dangerous display of ignorance. Anyone who actually does exploit development, or who is familiar with the history of the field, knows that.

        Many people "knew" stack overflows weren't a problem before the Morris Worm. Many people "knew" they were a problem but only some sort of evil genius could exploit them before Levy published "Smashing the Stack for Fun and Profit". The same goes for all the common attack vectors; we hear over and over that "no one can/will exploit that" right up until someone does.

        I've had to do exploit PoCs for management and other developers, just to prove the point. It's tiresome and a diversion of effort that would better be spent addressing the problem.

        The poster who started this thread is absolutely, completely wrong.

        1. A random security guy

          Re: "Only if it can be exploited" is a Very weak argument

          Agree. And 2 people gave me a thumbs down. It is actually a good indication of why we have security bugs. The cavalier attitude to bad programming practices is the primary reason for security issues.

  5. Zippy´s Sausage Factory
    Facepalm

    "Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues," said Francesco Benvenuto, senior security research engineer at Talos.

    Isn't almost any old malware capable of downloading unsigned libraries these days? How long before these flaws are actively exploited in the wild - assuming they aren't already?

    1. Groo The Wanderer

      Ah, Grasshopper, now you see why in years gone by 'twas oft said "Windows IS a virus." In a sense, all kernels are - but there is no excuse for unsigned code, as you can use internal private SSL setups to properly sign your code. It's the only way you can even get some applications to run because they wisely mandate secure network configurations.

    2. A random security guy

      Microsoft is claiming that there is no reason to protect its products because others need to do their job. It was the same argument used by people who used perimeter defense as sufficient to protect infrastructure. That is the worst possible defense argument; depending on others... The whole principle of zero trust is based on every component doing its best to guard against someone attacking it.

  6. littletijn
    Joke

    "...stopping malicious libraries from being run, other than those specified by the devs or Apple itself..."

    To call those libraries malicious is quite a stretch, although also a bit honest :)

    1. Michael Wojcik Silver badge

      Oh, I think it's pretty clear that Microsoft Office has done more damage than any other single malware strain.

      1. Groo The Wanderer

        I think Outlook is the clear winner in that suite of security holes...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like