Microsoft apps like Word, Excel, Outlook and Teams are so popular (and useful) that they’re nearly unavoidable, whether you’re on a Windows computer or a Mac. However, these apps can become a hacker’s paradise on Apple Macs due to an unpatched vulnerability.

A cybersecurity research group has revealed that Microsoft apps on Macs have a security flaw that could allow hackers to access your photos, videos, contacts and almost all of your private data. 

The worst part? Microsoft doesn’t consider it a big enough threat to fix.

GET SECURITY ALERTS, EXPERT TIPS — SIGN UP FOR KURT’S NEWSLETTER — THE CYBERGUY REPORT HERE

Vulnerabilities in Microsoft apps expose users to unauthorized data access

The cybersecurity research group Cisco Talos has discovered security vulnerabilities in Excel, OneNote, Outlook, PowerPoint, Teams and Word. These vulnerabilities allow attackers to inject malicious libraries into these apps, giving them access to the apps’ permissions and user-granted entitlements.

To understand why that’s dangerous, let’s first look at macOS’s framework. Mac devices operate on a permission-based system and rely on the Transparency, Consent and Control (TCC) framework. You’ve probably noticed that every time you download a new app, you’re asked to grant permission for it to run. Similarly, when an app wants to access sensitive information like contacts, photos or webcams, you’re prompted to allow or block access.

This system ensures that you know and trust the apps that have access to your private information. However, Apple doesn’t allow just any app to request access to sensitive data — only those with the proper entitlements, meaning apps that Apple has authorized to make such requests. Apps without these entitlements won’t prompt you for permission to access sensitive data.

The Microsoft apps mentioned above have these entitlements, and the security flaw within them allows hackers to bypass permission requests and access your sensitive information.

“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” the researchers explain.

For example, a hacker could design malicious software to read your emails or view your browsing history without you even knowing. “All apps, except for Excel, can access sensitive data like your emails and web activity,” the group adds.

Macs on a desk. (Kurt “CyberGuy” Knutsson)

4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH

Is Microsoft working on a fix?

Microsoft considers the security flaws “low risk” and has declined to fix them in some apps. “Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the Cisco Talos research group said.

Microsoft updated the Teams and OneNote apps on macOS to change how they handle the library validation entitlement. However, Excel, PowerPoint, Word and Outlook remain vulnerable to the exploit.

Cisco Talos hasn’t provided a working example of how this vulnerability could be exploited in real-world attacks. They also haven’t confirmed whether hackers have used the flaw to access users’ sensitive information yet.

A woman working on her Mac laptop. (Kurt “CyberGuy” Knutsson)

A NEW RUSSIAN THREAT TARGETS OVER 100 APPLE MACOS BROWSER EXTENSIONS

Microsoft and Apple’s response 

We reached out to Microsoft, and a company spokesperson offered this statement:

“The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system. However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions.” 

We also contacted Apple but did not hear back by our deadline. 

What can you do to protect your data?

There’s not much you can do to protect yourself in this situation unless Microsoft patches the vulnerability. Still, below are some steps you can take to minimize the risk.

1. Keep your apps updated: Regularly check for updates to your Microsoft apps through the Mac App Store or the Microsoft AutoUpdate tool. Even though not all vulnerabilities may be addressed, updates often include important security patches that reduce your risk of exploitation.

2. Limit permissions: Go to your macOS settings and review the permissions granted to Microsoft apps. Disable access to sensitive data like your camera, microphone, contacts, and calendar unless absolutely necessary. For example, if you rarely use the camera in Teams, you can revoke its access. Here’s how to do it:

• Click on the Apple menu in the top-left corner of your screen and select “System Settings.”
• In the System Settings window, scroll down and select “Privacy & Security” from the sidebar.
• Within the Privacy & Security section, you’ll find various categories such as Camera, Microphone, Contacts and Calendars. Click on each category to see which apps have access.
• For each category, find Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary. For example, if you rarely use the camera in Teams, you can uncheck it in the Camera section.
• Close the System Settings window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.

For earlier macOS versions, the steps to limit permissions for Microsoft apps are slightly different. Here’s how you can do it:

• Click on the Apple menu in the top-left corner of your screen and select “System Preferences.”
• In the System Preferences window, click on “Security & Privacy.”
• In the Security & Privacy window, go to the “Privacy” tab.
• On the left sidebar, you’ll see various categories such as Camera, Microphone, Contacts and Calendars.
• Click on each category to see which apps have access.
• To make changes, you may need to click the lock icon in the bottom-left corner and enter your administrator password.
• Find the Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary.
• Close the Security & Privacy window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.

These steps help ensure that Microsoft apps on your macOS have limited access to sensitive data, enhancing your privacy and security.

3. Consider alternatives: If you’re concerned about security, consider using alternative office software that is less susceptible to these vulnerabilities. Apple’s suite of productivity apps, including Pages, Numbers and Keynote, are designed specifically for macOS and offer robust security features. These apps can serve as viable replacements for Word, Excel and PowerPoint, respectively.

Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets and Slides, which are accessible from any device and provide strong security measures. By switching to these alternatives, you can reduce the risk of unauthorized data access and maintain better control over your personal information.

4. Use strong antivirus software: The best way to safeguard yourself from malicious links that install malware and potentially access your private information on your Mac is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC

Kurt’s key takeaway

While Microsoft apps like Word, Excel, Outlook and Teams are indispensable tools for many, their vulnerabilities on macOS pose significant security risks. The discovery highlights how these apps can be exploited to access sensitive data without your consent. Despite the seriousness of these findings, Microsoft’s decision not to address all vulnerabilities leaves you in a precarious position. It’s crucial for you to stay vigilant by keeping your apps updated, limiting permissions and considering alternative software solutions to safeguard your data. As technology evolves, so do the threats, making it essential for you to prioritize security.

How should Microsoft take responsibility for ensuring your security and privacy in light of identified vulnerabilities in its applications? Let us know by writing us at Cyberguy.com/Contact

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2024 CyberGuy.com. All rights reserved.

NASA administrator Bill Nelson announced today that US astronauts Sunita Williams and Barry Wilmore will return next February with the SpaceX Crew-9 mission after spending more than 80 days aboard the International Space Station (ISS).

According to NASA Commercial Crew Program manager Steve Stich, “As we got more and more data over the summer and understood the uncertainty of that data, it became very clear to us that the best course of action was to return Starliner uncrewed.” He said NASA found “there was just just too much uncertainty in the prediction of the thrusters.”

“If we had a way to actually predict what the thrusters would do, for the undock, and all the way through the de-orbit burn, and through the separation sequence, I think we would have taken a different course of action. But when we looked at the data and looked at the potential for thruster failures with the crew on board … it was just too much risk for the crew, and so we decided to pursue the uncrewed testflight. 

Responding to a press question about how NASA can trust Boeing again, NASA Associate Administrator Ken Bowersox said, “We’ve had a lot of tense discussions, right? Because the call was close, and so people have a lot of emotional investment in either option, and that gives you a healthy discourse. But after that, you have to do some work to keep your team together, right?”

“And I’ll acknowledge that we have some work to do there. It’s pretty natural when you’ve had a difficult decision to make.” Bowersox said that NASA remains “committed to working with Boeing.”

Stich weighed in, saying, “Boeing did a great job building a model. The question is, ‘Is that model good enough to predict performance for a crew?’” He added later, “There was just a little disagreement in terms of the level of risk. And that’s kind of where it got down to, and I would say it’s close. It’s very close; it just depends on how you evaluate the risk. We do it a little differently with our crew than Boeing did.”

With limited access to the spacecraft docked with the ISS, tests at NASA’s White Sands Test Facility indicated that deformed Teflon seals may have been one of the reasons the spacecraft’s thrusters failed. But without conclusive answers, NASA waited to decide between returning the astronauts to Earth aboard the Starliner or working with SpaceX to bring them home early next year aboard the Crew-9 mission, which is planned to launch to the ISS in late September.

• SpaceX’s astronauts will be the first non-government astronauts to attempt a spacewalk as part of the Polaris Dawn mission.
•  The mission will also test SpaceX’s new, slimmer spacesuit, and a Crew Dragon vehicle that was modified so it can open its hatch door in the vacuum of space, meaning it does not require an airlock.
• SpaceX officials and the Polaris crew said during a news conference on Monday they have planned for an array of contingency scenarios if something during the mission goes wrong, such as an oxygen leak or failure to reseal the hatch door, but they did not detail what those were.

SpaceX’s attempt at the first ever private spacewalk next week will be a test of trailblazing equipment, including slim spacesuits and a cabin with no airlock, in one of the riskiest missions yet for Elon Musk’s space company.

A billionaire entrepreneur, a retired military fighter pilot and two SpaceX employees are poised to launch on Tuesday aboard a modified Crew Dragon craft, before embarking on a 20-minute spacewalk 434 miles into space two days later.

Until now, walking into the empty expanse of space has only been attempted by government astronauts on the International Space Station (ISS), 250 miles above Earth.

MUSK’S SPACEX TAKES BOLD STEP BEYOND SPACE STATION ON THE WAY TO MAKING HUMANITY AN ‘INTERPLANETARY SPECIES’

SpaceX’s five-day mission – dubbed Polaris Dawn – will swing in an oval-shaped orbit, passing as close to Earth as 118 miles and as far as 870 miles, the farthest any humans will have ventured since the end of the United States’ Apollo moon program in 1972.

Crew members, including billionaire Jared Isaacman, will don SpaceX’s new, slimline spacesuits in a Crew Dragon vehicle that was modified so it can open its hatch door in the vacuum of space – an unusual process that removes the need for an airlock.

“They’re pushing the envelope in multiple ways,” retired NASA astronaut Garrett Reisman said in an interview. “They’re also going to a much higher altitude, with a more severe radiation environment than we’ve been to since Apollo.”

The mission has been bankrolled by Isaacman, the founder of electronic payment company Shift4. He has declined to say how much he has spent, but it is estimated to be over $100 million.

Joining him will be mission pilot Scott Poteet, a retired U.S. Air Force lieutenant colonel, and SpaceX employees Sarah Gillis and Anna Menon, both senior engineers at the company.

For SpaceX, which has pioneered cheap, reusable rockets and expensive private spaceflight, the mission is an opportunity to advance technologies that could be used on the moon and Mars.

Far outside the protective bubble of Earth’s atmosphere, the electronics and shielding on Crew Dragon and spacesuits will be tested as they pass through parts of the Van Allen belt, an area where charged particles streaming mainly from the sun can disrupt satellites’ electronics and affect human health.

“That’s an additional risk that you don’t face when you just stay in low-Earth orbit and go up to the ISS,” Reisman said.

SpaceX’s new kind of spacewalk

The Polaris spacewalk will take place on the mission’s third day, but preparation will begin about 45 hours in advance.

The gumdrop-shaped Crew Dragon’s entire cabin will be depressurized and exposed to the vacuum of space. While only two of the astronauts will float outside, tethered by an oxygen line, the whole crew will depend on their spacesuits for life support.

Days before the spacewalk, the crew will begin a “pre-breathe” process to fill the cabin with pure oxygen and remove any nitrogen from the air.

Nitrogen, if present in astronauts’ bloodstreams in space, could form bubbles, block blood flow and lead to decompression sickness, known as “the bends,” as with scuba divers who return too quickly to the water’s surface.

The crew will use an ultrasound device to monitor any bubble formation, one of many tools to be used in the mission to inform dozens of scientific experiments, providing researchers a rare peek into how astronauts might fare on the moon’s surface or elsewhere in deep space.

“It gives us a very unique opportunity to test these vehicles in such a very unique environment,” said Emmanuel Urquieta, vice chair for aerospace medicine at the University of Central Florida’s internal medicine department.

While astronaut safety on NASA missions is rigorously overseen by the agency, there are no such U.S. standards or laws for spaceflight safety in private missions like Polaris.

SpaceX officials and the Polaris crew said during a Monday news conference they have planned for an array of contingency scenarios if something during the mission goes wrong, such as an oxygen leak or failure to reseal the hatch door, but they did not detail what those were.

Reisman said he knows the Polaris crew and believes they are prepared to handle any unexpected mishaps.

“But there’s not a lot of room for error,” he said.