Who is surprised that...
1. Microsoft writes crappy code which requires macOS security features to be disabled run.
2. The crap code can be exploited by 3rd parties, just like on Windows.
3. Microsoft doesn't give a shit because it runs on macOS.
Cisco Talos says eight vulnerabilities in Microsoft's macOS apps could be abused by nefarious types to record video and sound from a user's device, access sensitive data, log user input, and escalate privileges. The vulnerabilities exist across Excel, OneNote, Outlook, PowerPoint, Teams, and Word, but Microsoft told Talos it …
Yes, it is ethical. Most White Hat Hackers give a 30 day warning, sometimes more. The hackers mostly know about the vulnerabilities. There may be several reasons you don't see any exploits:
1. There are other exploits that are available
2. The hacking industry is working on creating an exploit.
3. They have already weaponized the exploit but are holding it back.
4. It is out there, but it hasn't hit you
5. You haven't noticed that you have been hacked
6. You are not worth it.
He also highlighted that the only plugins available to Microsoft's macOS apps are Office add-ins, meaning there is no apparent reason to open their apps to running plugins from third parties, as they did through the entitlements.
What exactly is he talking about? What are 'plugins' in this context, and what plugins are supplied by MS for macOS Office? The reference to "Office add-ins" is confusing, since that category includes many things that are custom development, or only available from third-parties.
"Add-ins for outlook for Mac":
https://support.microsoft.com/en-us/office/get-add-ins-for-outlook-for-mac-2bc12110-1f4c-4bda-aeba-af433d4602e9
Third parties are listed there.
The question isn't "what's an add-in for Office for Mac", the question is "is he talking through his ass?"
I used to write Office add-ins on Windows, which were among the most painful pieces of software I had to write. MS Office allows you to write software that can use Office APIs to create buttons,act on emails, etc. These are called Office add-ins/plugins. You can, for example, write a small program that reads an email from your boss, calls ChatGPT, creates a response, and sends it out. It seems that you can't do it on the MAC.
That’s like waiting for someone to get killed before doing something about that dangerous road junction.
Clearly (really, there is no argument) the MS code in question is (obviously, because it’s MS) crap, and needs fixing (or preferably deleting). There is no need to wait until “bad things” happen to do this
Oftentimes, I would get a pushback from a developer or a manager saying: I'll fix this buffer overflow or some other security bug only if you can show it can be exploited.
The basics of security revolve around building secure components. Writing exploits is a thankless job unless you are in the employ of some a nation state hacking organization or a hacker group. It can take hundreds of thousands of dollars to weaponize a vulnerability. Sometimes you can buy toolchains for known types of vulnerabilities.
Hacker groups can afford to do it because they can get the ROI by hacking and ransoming systems for millions of dollars. It is profitable for them.
Pointing out vulnerabilities is the right thing to do.
Microsoft not fixing their bugs is just business as usual.
Yes. "It's not real until you show me an exploit" is a dangerous display of ignorance. Anyone who actually does exploit development, or who is familiar with the history of the field, knows that.
Many people "knew" stack overflows weren't a problem before the Morris Worm. Many people "knew" they were a problem but only some sort of evil genius could exploit them before Levy published "Smashing the Stack for Fun and Profit". The same goes for all the common attack vectors; we hear over and over that "no one can/will exploit that" right up until someone does.
I've had to do exploit PoCs for management and other developers, just to prove the point. It's tiresome and a diversion of effort that would better be spent addressing the problem.
The poster who started this thread is absolutely, completely wrong.
"Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues," said Francesco Benvenuto, senior security research engineer at Talos.
Isn't almost any old malware capable of downloading unsigned libraries these days? How long before these flaws are actively exploited in the wild - assuming they aren't already?
Ah, Grasshopper, now you see why in years gone by 'twas oft said "Windows IS a virus." In a sense, all kernels are - but there is no excuse for unsigned code, as you can use internal private SSL setups to properly sign your code. It's the only way you can even get some applications to run because they wisely mandate secure network configurations.
Microsoft is claiming that there is no reason to protect its products because others need to do their job. It was the same argument used by people who used perimeter defense as sufficient to protect infrastructure. That is the worst possible defense argument; depending on others... The whole principle of zero trust is based on every component doing its best to guard against someone attacking it.