Technology
Microsoft apps on macOS could be your biggest privacy threat
Microsoft apps like Word, Excel, Outlook and Teams are so popular (and useful) that they’re nearly unavoidable, whether you’re on a Windows computer or a Mac. However, these apps can become a hacker’s paradise on Apple Macs due to an unpatched vulnerability.
A cybersecurity research group has revealed that Microsoft apps on Macs have a security flaw that could allow hackers to access your photos, videos, contacts and almost all of your private data.
The worst part? Microsoft doesn’t consider it a big enough threat to fix.
GET SECURITY ALERTS, EXPERT TIPS — SIGN UP FOR KURT’S NEWSLETTER — THE CYBERGUY REPORT HERE
Microsoft ad. (Microsoft)
Vulnerabilities in Microsoft apps expose users to unauthorized data access
The cybersecurity research group Cisco Talos has discovered security vulnerabilities in Excel, OneNote, Outlook, PowerPoint, Teams and Word. These vulnerabilities allow attackers to inject malicious libraries into these apps, giving them access to the apps’ permissions and user-granted entitlements.
To understand why that’s dangerous, let’s first look at macOS’s framework. Mac devices operate on a permission-based system and rely on the Transparency, Consent and Control (TCC) framework. You’ve probably noticed that every time you download a new app, you’re asked to grant permission for it to run. Similarly, when an app wants to access sensitive information like contacts, photos or webcams, you’re prompted to allow or block access.
This system ensures that you know and trust the apps that have access to your private information. However, Apple doesn’t allow just any app to request access to sensitive data — only those with the proper entitlements, meaning apps that Apple has authorized to make such requests. Apps without these entitlements won’t prompt you for permission to access sensitive data.
The Microsoft apps mentioned above have these entitlements, and the security flaw within them allows hackers to bypass permission requests and access your sensitive information.
“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” the researchers explain.
For example, a hacker could design malicious software to read your emails or view your browsing history without you even knowing. “All apps, except for Excel, can access sensitive data like your emails and web activity,” the group adds.
Macs on a desk. (Kurt “CyberGuy” Knutsson)
4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH
Is Microsoft working on a fix?
Microsoft considers the security flaws “low risk” and has declined to fix them in some apps. “Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the Cisco Talos research group said.
Microsoft updated the Teams and OneNote apps on macOS to change how they handle the library validation entitlement. However, Excel, PowerPoint, Word and Outlook remain vulnerable to the exploit.
Cisco Talos hasn’t provided a working example of how this vulnerability could be exploited in real-world attacks. They also haven’t confirmed whether hackers have used the flaw to access users’ sensitive information yet.
A woman working on her Mac laptop. (Kurt “CyberGuy” Knutsson)
A NEW RUSSIAN THREAT TARGETS OVER 100 APPLE MACOS BROWSER EXTENSIONS
Microsoft and Apple’s response
We reached out to Microsoft, and a company spokesperson offered this statement:
“The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system. However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions.”
We also contacted Apple but did not hear back by our deadline.
What can you do to protect your data?
There’s not much you can do to protect yourself in this situation unless Microsoft patches the vulnerability. Still, below are some steps you can take to minimize the risk.
1. Keep your apps updated: Regularly check for updates to your Microsoft apps through the Mac App Store or the Microsoft AutoUpdate tool. Even though not all vulnerabilities may be addressed, updates often include important security patches that reduce your risk of exploitation.
2. Limit permissions: Go to your macOS settings and review the permissions granted to Microsoft apps. Disable access to sensitive data like your camera, microphone, contacts, and calendar unless absolutely necessary. For example, if you rarely use the camera in Teams, you can revoke its access. Here’s how to do it:
- Click on the Apple menu in the top-left corner of your screen and select “System Settings.”
- In the System Settings window, scroll down and select “Privacy & Security” from the sidebar.
- Within the Privacy & Security section, you’ll find various categories such as Camera, Microphone, Contacts and Calendars. Click on each category to see which apps have access.
- For each category, find Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary. For example, if you rarely use the camera in Teams, you can uncheck it in the Camera section.
- Close the System Settings window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.
For earlier macOS versions, the steps to limit permissions for Microsoft apps are slightly different. Here’s how you can do it:
- Click on the Apple menu in the top-left corner of your screen and select “System Preferences.”
- In the System Preferences window, click on “Security & Privacy.”
- In the Security & Privacy window, go to the “Privacy” tab.
- On the left sidebar, you’ll see various categories such as Camera, Microphone, Contacts and Calendars.
- Click on each category to see which apps have access.
- To make changes, you may need to click the lock icon in the bottom-left corner and enter your administrator password.
- Find the Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary.
- Close the Security & Privacy window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.
These steps help ensure that Microsoft apps on your macOS have limited access to sensitive data, enhancing your privacy and security.
3. Consider alternatives: If you’re concerned about security, consider using alternative office software that is less susceptible to these vulnerabilities. Apple’s suite of productivity apps, including Pages, Numbers and Keynote, are designed specifically for macOS and offer robust security features. These apps can serve as viable replacements for Word, Excel and PowerPoint, respectively.
Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets and Slides, which are accessible from any device and provide strong security measures. By switching to these alternatives, you can reduce the risk of unauthorized data access and maintain better control over your personal information.
4. Use strong antivirus software: The best way to safeguard yourself from malicious links that install malware and potentially access your private information on your Mac is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
Kurt’s key takeaway
While Microsoft apps like Word, Excel, Outlook and Teams are indispensable tools for many, their vulnerabilities on macOS pose significant security risks. The discovery highlights how these apps can be exploited to access sensitive data without your consent. Despite the seriousness of these findings, Microsoft’s decision not to address all vulnerabilities leaves you in a precarious position. It’s crucial for you to stay vigilant by keeping your apps updated, limiting permissions and considering alternative software solutions to safeguard your data. As technology evolves, so do the threats, making it essential for you to prioritize security.
How should Microsoft take responsibility for ensuring your security and privacy in light of identified vulnerabilities in its applications? Let us know by writing us at Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2024 CyberGuy.com. All rights reserved.
/cdn.vox-cdn.com/uploads/chorus_asset/file/23935560/acastro_STK103__03.jpg "Amazon is ‘winding down’ some of its DEI programs")
As we head toward the end of the year, I want to give another update on the work we’ve been doing around representation and inclusion.
As a large, global company that operates in different countries and industries, we serve hundreds of millions of customers from a range of backgrounds and globally diverse communities. To serve them effectively, we need millions of employees and partners that reflect our customers and communities. We strive to be representative of those customers and build a culture that’s inclusive for everyone.
In the last few years we took a new approach, reviewing hundreds of programs across the company, using science to evaluate their effectiveness, impact, and ROI – identifying the ones we believed should continue. Each one of these addresses a specific disparity, and is designed to end when that disparity is eliminated. In parallel, we worked to unify employee groups together under one umbrella, and build programs that are open to all. Rather than have individual groups build programs, we are focusing on programs with proven outcomes – and we also aim to foster a more truly inclusive culture. You can read more about this on our Together at Amazon page on A to Z.
This approach – where we move away from programs that were separate from our existing processes, and instead integrating our work into existing processes so they become durable— is the evolution to “built in” and “born inclusive,” instead of “bolted on.” As part of this evolution, we’ve been winding down outdated programs and materials, and we’re aiming to complete that by the end of 2024. We also know there will always be individuals or teams who continue to do well-intentioned things that don’t align with our company-wide approach, and we might not always see those right away. But we’ll keep at it.
We’ll continue to share ongoing updates, and appreciate your hard work in driving this progress. We believe this is important work, so we’ll keep investing in programs that help us reflect those audiences, help employees grow, thrive, and connect, and we remain dedicated to delivering inclusive experiences for customers, employees, and communities around the world.
GAC Group, a prominent automotive manufacturer from China, is making waves in the transportation sector with the launch of its new eVTOL brand, Govy.
This development reflects GAC’s commitment to sustainable air travel, as the company taps into its extensive automotive expertise and innovative technology to create fresh solutions for urban mobility.
With Govy, GAC is not just entering the flying car market; it’s setting the stage for a new era in how we think about commuting and connectivity in our cities.
I’M GIVING AWAY THE LATEST & GREATEST AIRPODS PRO 2
Flagship aircraft of Govy named AirJet. (Govy)
Introducing the AirJet
The flagship aircraft of Govy, named AirJet, is a revolutionary composite-wing flying car designed to operate as an air taxi for distances of up to 124 miles. This innovative vehicle combines the efficiency of fixed-wing aircraft with the flexibility of multi-rotor systems, allowing for vertical takeoff and landing capabilities.
The AirJet is constructed with over 90% carbon fiber composite materials, making it remarkably lightweight — just one-third the weight of a conventional car of similar size. This lightweight design not only enhances performance but also enables longer electric flights.
WHAT IS ARTIFICIAL INTELLIGENCE (AI)?
Flagship aircraft of Govy named AirJet. (Govy)
EVTOL PROTOTYPE PROMISES 150 MPH CITY-TO-CITY HOPS
Performance and features of the AirJet
In terms of performance, the AirJet is powered by GAC’s proprietary electric drive system, which allows it to reach impressive speeds of up to 155 miles per hour. The current model boasts a range exceeding 124 miles, with ambitious plans to extend this range to 249 miles through the development of future solid-state battery technology. Additionally, the AirJet can be recharged in just 30 minutes, ensuring quick turnaround times for operations.
The AirJet is designed with both luxury and safety in mind. It features a spacious cabin with a “1+1+X” seating arrangement that provides flexibility for passengers. The aircraft is equipped with autonomous flight capabilities, allowing for seamless operation without human intervention. Safety is paramount in the design of the AirJet. It includes advanced safety systems such as redundant power and control systems, real-time monitoring, and obstacle detection to ensure secure flights.
Flagship aircraft of Govy named AirJet. (Govy)
AN ELECTRIC AIRCRAFT THE MILITARY HAS ITS EYES ON CAN TAKE OFF WITH ONLY 150 FEET OF RUNWAY
The robo-air taxi system
GAC’s vision extends beyond individual aircraft to encompass a comprehensive Robo-AirTaxi system that integrates ground and aerial transport for end-to-end smart mobility solutions. This system will utilize the Govy AirCar for short urban trips under 12.4 miles and the AirJet for mid-range travel up to 124 miles. A key aspect of this vision is the creation of a “40-minute Greater Bay Area life circle” in China, which aims to facilitate efficient intercity travel and significantly reduce transit times and costs.
Flagship aircraft of Govy named AirJet. (Govy)
THIS FLYING ELECTRIC VEHICLE BREAKS RECORD WITH 523-MILE NONSTOP FLIGHT
Future plans and commercialization
Looking ahead, GAC has outlined an ambitious roadmap for Govy. By 2025, the company aims to achieve airworthiness certification for its flying cars, establish production lines, and begin taking pre-orders from customers. Furthermore, GAC plans to launch demonstration operations in two to three Greater Bay Area cities of China by 2027.
Flagship aircraft of named AirJet. (Govy)
Kurt’s key takeaways
With the introduction of Govy and its flagship AirJet, GAC Group is positioning itself at the forefront of urban aerial transportation. By combining innovative technology with a comprehensive ecosystem approach, GAC aims to transform urban mobility into something smarter, safer, and more sustainable. As we move toward a future where aerial vehicles become an integral part of our transportation networks, GAC’s initiatives could play a pivotal role in shaping how we navigate our cities and connect with one another.
Would you feel comfortable using flying cars like the Govy AirJet for your daily commute, and why or why not? Let us know by writing us at Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25825427/2192342441.jpg "Drone takes out Super Scooper fighting Los Angeles wildfires")
An aircraft helping to fight wildfires that are raging across Los Angeles was struck by a civilian drone on Thursday. The collision damaged the wing of the aircraft — a CL-415 “Super Scooper” capable of scooping up 1,600 gallons of ocean water to drop onto nearby blazes — according to a statement by the LA County Fire Department posted on X, putting it out of service until it can be repaired.
Cal Fire spokesman Chris Thomas told The New York Times that grounding the aircraft will likely set back local firefighting efforts. Super Scoopers can typically refill in about five minutes. But even if it takes ten, that’s six water drops that are lost each hour according to Thomas. “So whose house is not going to get that water to protect it?” The Federal Aviation Administration (FAA) says the Super Scooper landed safely after the drone impact, and that the incident is now under investigation.
Temporary flight restrictions have been implemented in the Los Angeles area that prohibit drones and other aircraft from flying without FAA authorization in an effort to protect firefighting efforts.
According to LA County Fire Chief Anthony Marrone, the drone was not assigned to help tackle the Palisades fires, and was destroyed in the collision. Marrone told the LA Times that the FBI is now planning to implement so-called “aerial armor” in the area to prevent further interference from drones.
Several people online have violated the FAA-enforced flight restrictions, posting viral drone photos and video footage across social media showing the devastation from what appears to be prohibited airspace. Fire response agencies are often forced to ground their own aircraft to avoid collisions when dummies fly drones near wildfires for online clout.
“It’s a federal crime, punishable by up to 12 months in prison, to interfere with firefighting efforts on public lands,” the FAA said in a statement. “Additionally, the FAA can impose a civil penalty of up to $75,000 against any drone pilot who interferes with wildfire suppression, law enforcement or emergency response operations. The FAA treats these violations seriously and immediately considers swift enforcement action for these offenses.”
Brussels, my love? Poland's New Year's resolution
Fox News headed for trial, again, over 2020 election fraud claims
Alaska sues Biden administration for 'irrational' restrictions on Trump-era oil and gas drilling mandate
Vance resigns from Senate as he and Trump prepare to take office
Cruise ship passengers from across US sue after worker sentenced for placing hidden cameras in guest rooms
Colorado Rockies game no. 116 thread: Zac Gallen vs José Ureña
Why Marjorie Taylor Greene was ‘kicked out’ of the Freedom Caucus according to Rep. Buck
See it: Tesla crashes into Columbus convention center at 70 mph
Fox News Politics: Georgia the whole day through
Death of missing Oregon girl found in stream ruled homicide
Brussels, my love? Poland's New Year's resolution
Fox News headed for trial, again, over 2020 election fraud claims
Trump Blames L.A. Wildfires on Newsom Using Familiar Tactics
'Deeply disgusted': GOP senator shreds Biden admin in scathing letter on new immigrant deportation shield
US Supreme Court critical of TikTok arguments against looming ban
-
Business1 week agoThese are the top 7 issues facing the struggling restaurant industry in 2025
-
Culture1 week agoThe 25 worst losses in college football history, including Baylor’s 2024 entry at Colorado
-
Sports1 week agoThe top out-of-contract players available as free transfers: Kimmich, De Bruyne, Van Dijk…
-
Politics1 week agoNew Orleans attacker had 'remote detonator' for explosives in French Quarter, Biden says
-
Politics1 week agoCarter's judicial picks reshaped the federal bench across the country
-
Politics6 days agoWho Are the Recipients of the Presidential Medal of Freedom?
-
Health5 days agoOzempic ‘microdosing’ is the new weight-loss trend: Should you try it?
-
World1 week agoIvory Coast says French troops to leave country after decades