Technology
Microsoft apps on macOS could be your biggest privacy threat
Microsoft apps like Word, Excel, Outlook and Teams are so popular (and useful) that they’re nearly unavoidable, whether you’re on a Windows computer or a Mac. However, these apps can become a hacker’s paradise on Apple Macs due to an unpatched vulnerability.
A cybersecurity research group has revealed that Microsoft apps on Macs have a security flaw that could allow hackers to access your photos, videos, contacts and almost all of your private data.
The worst part? Microsoft doesn’t consider it a big enough threat to fix.
GET SECURITY ALERTS, EXPERT TIPS — SIGN UP FOR KURT’S NEWSLETTER — THE CYBERGUY REPORT HERE
Microsoft ad. (Microsoft)
Vulnerabilities in Microsoft apps expose users to unauthorized data access
The cybersecurity research group Cisco Talos has discovered security vulnerabilities in Excel, OneNote, Outlook, PowerPoint, Teams and Word. These vulnerabilities allow attackers to inject malicious libraries into these apps, giving them access to the apps’ permissions and user-granted entitlements.
To understand why that’s dangerous, let’s first look at macOS’s framework. Mac devices operate on a permission-based system and rely on the Transparency, Consent and Control (TCC) framework. You’ve probably noticed that every time you download a new app, you’re asked to grant permission for it to run. Similarly, when an app wants to access sensitive information like contacts, photos or webcams, you’re prompted to allow or block access.
This system ensures that you know and trust the apps that have access to your private information. However, Apple doesn’t allow just any app to request access to sensitive data — only those with the proper entitlements, meaning apps that Apple has authorized to make such requests. Apps without these entitlements won’t prompt you for permission to access sensitive data.
The Microsoft apps mentioned above have these entitlements, and the security flaw within them allows hackers to bypass permission requests and access your sensitive information.
“We identified eight vulnerabilities in various Microsoft applications for macOS, through which an attacker could bypass the operating system’s permission model by using existing app permissions without prompting the user for any additional verification,” the researchers explain.
For example, a hacker could design malicious software to read your emails or view your browsing history without you even knowing. “All apps, except for Excel, can access sensitive data like your emails and web activity,” the group adds.
Macs on a desk. (Kurt “CyberGuy” Knutsson)
4.3 MILLION AMERICANS EXPOSED IN MASSIVE HEALTH SAVINGS ACCOUNT DATA BREACH
Is Microsoft working on a fix?
Microsoft considers the security flaws “low risk” and has declined to fix them in some apps. “Microsoft considers these issues low risk, and some of their applications, they claim, need to allow loading of unsigned libraries to support plugins and have declined to fix the issues,” the Cisco Talos research group said.
Microsoft updated the Teams and OneNote apps on macOS to change how they handle the library validation entitlement. However, Excel, PowerPoint, Word and Outlook remain vulnerable to the exploit.
Cisco Talos hasn’t provided a working example of how this vulnerability could be exploited in real-world attacks. They also haven’t confirmed whether hackers have used the flaw to access users’ sensitive information yet.
A woman working on her Mac laptop. (Kurt “CyberGuy” Knutsson)
A NEW RUSSIAN THREAT TARGETS OVER 100 APPLE MACOS BROWSER EXTENSIONS
Microsoft and Apple’s response
We reached out to Microsoft, and a company spokesperson offered this statement:
“The disclosed cases do not pose a significant security risk as the technique described requires the attacker to already have a certain level of access to the system. However, we have implemented several updates for added protection, as detailed in the report. As a best practice, customers should keep their software updated and regularly review application permissions.”
We also contacted Apple but did not hear back by our deadline.
What can you do to protect your data?
There’s not much you can do to protect yourself in this situation unless Microsoft patches the vulnerability. Still, below are some steps you can take to minimize the risk.
1. Keep your apps updated: Regularly check for updates to your Microsoft apps through the Mac App Store or the Microsoft AutoUpdate tool. Even though not all vulnerabilities may be addressed, updates often include important security patches that reduce your risk of exploitation.
2. Limit permissions: Go to your macOS settings and review the permissions granted to Microsoft apps. Disable access to sensitive data like your camera, microphone, contacts, and calendar unless absolutely necessary. For example, if you rarely use the camera in Teams, you can revoke its access. Here’s how to do it:
- Click on the Apple menu in the top-left corner of your screen and select “System Settings.”
- In the System Settings window, scroll down and select “Privacy & Security” from the sidebar.
- Within the Privacy & Security section, you’ll find various categories such as Camera, Microphone, Contacts and Calendars. Click on each category to see which apps have access.
- For each category, find Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary. For example, if you rarely use the camera in Teams, you can uncheck it in the Camera section.
- Close the System Settings window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.
For earlier macOS versions, the steps to limit permissions for Microsoft apps are slightly different. Here’s how you can do it:
- Click on the Apple menu in the top-left corner of your screen and select “System Preferences.”
- In the System Preferences window, click on “Security & Privacy.”
- In the Security & Privacy window, go to the “Privacy” tab.
- On the left sidebar, you’ll see various categories such as Camera, Microphone, Contacts and Calendars.
- Click on each category to see which apps have access.
- To make changes, you may need to click the lock icon in the bottom-left corner and enter your administrator password.
- Find the Microsoft apps (e.g., Microsoft Teams, Outlook) and uncheck them to revoke access if unnecessary.
- Close the Security & Privacy window to save your changes. The apps will no longer have access to the specified data unless you grant it again in the future.
These steps help ensure that Microsoft apps on your macOS have limited access to sensitive data, enhancing your privacy and security.
3. Consider alternatives: If you’re concerned about security, consider using alternative office software that is less susceptible to these vulnerabilities. Apple’s suite of productivity apps, including Pages, Numbers and Keynote, are designed specifically for macOS and offer robust security features. These apps can serve as viable replacements for Word, Excel and PowerPoint, respectively.
Additionally, Google Workspace offers cloud-based tools like Google Docs, Sheets and Slides, which are accessible from any device and provide strong security measures. By switching to these alternatives, you can reduce the risk of unauthorized data access and maintain better control over your personal information.
4. Use strong antivirus software: The best way to safeguard yourself from malicious links that install malware and potentially access your private information on your Mac is to have antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.
MASSIVE SECURITY FLAW PUTS MOST POPULAR BROWSERS AT RISK ON MAC
Kurt’s key takeaway
While Microsoft apps like Word, Excel, Outlook and Teams are indispensable tools for many, their vulnerabilities on macOS pose significant security risks. The discovery highlights how these apps can be exploited to access sensitive data without your consent. Despite the seriousness of these findings, Microsoft’s decision not to address all vulnerabilities leaves you in a precarious position. It’s crucial for you to stay vigilant by keeping your apps updated, limiting permissions and considering alternative software solutions to safeguard your data. As technology evolves, so do the threats, making it essential for you to prioritize security.
How should Microsoft take responsibility for ensuring your security and privacy in light of identified vulnerabilities in its applications? Let us know by writing us at Cyberguy.com/Contact
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2024 CyberGuy.com. All rights reserved.
OpenAI announced yet another reorganization Friday, consolidating certain areas and making company president Greg Brockman the official lead of all things product.
In a memo viewed by The Verge, Brockman wrote that since OpenAI’s product strategy for this year is to go all-in on AI agents, the company is combining its products to “invest in a single agentic platform and to merge ChatGPT and Codex into one unified agentic experience for all.”
To do this, the company is making a suite of org chart changes, although it’s still operating under some of the same ones from last month. That’s when AGI boss Fidji Simo went on medical leave and OpenAI announced that Brockman would be in charge of product strategy and CSO Jason Kwon, CFO Sarah Friar, and CRO Denise Dresser would take control of business operations.
It’s all part of OpenAI’s recent strategic shift to focus on key revenue drivers like coding and enterprise and stop pouring resources into “side quests” ahead of its potential IPO later this year and amid investor pressure to turn a profit.
In Simo’s continued absence, Brockman’s role leading product strategy is now official, as well as the company’s “scaling” arm. Under Brockman will be four different pillars. The first is core product and platform, led by Thibault Sottiaux, who has been OpenAI’s engineering lead for Codex, and the second is critical enterprise industries, led by ChatGPT head Nick Turley. Third is the consumer pillar, such as health, commerce, and personal finance, which will be led by Ashley Alexander, who has been its healthcare products VP. The fourth pillar — core infrastructure, ads, data science, and growth — will be led by Vijaye Raji, who has been OpenAI’s CTO of applications.
Brockman wrote in the memo that OpenAI’s goal is now to “bring agents to ChatGPT scale, in order to give individuals and organizations significantly more value and utility from our products.”
NEWYou can now listen to Fox News articles!
You’re going about your day when your phone buzzes. A text hits your phone. It looks official. It sounds urgent. And suddenly, you are being told you owe money for a traffic violation. That is exactly what Todd from Texas experienced. He emailed us and said:
“I received this text message today. It was so baffling because I haven’t lived in California for nearly a decade. I didn’t click on anything or respond. How can I tell if this is for real or if this is a scam?”
If you’ve gotten a message like this, you are not alone. This type of scam is spreading fast, and it is designed to pressure you into acting before you think. Let’s break down what is really going on.
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
FAKE AGENT PHONE SCAMS ARE SPREADING FAST ACROSS THE US
This message may look official, but several red flags show it is likely a scam designed to pressure you into paying quickly. (Kurt “CyberGuy” Knutsson)
What the traffic ticket scam text looks like
At first, the message seems convincing. It claims to be a “final reminder” from the California DMV, and it warns of penalties like license suspension and added fees. It even includes a link that appears somewhat official. However, once you slow down and take a closer look, the red flags quickly start to pile up.
The biggest red flags in this message
Here are the key warning signs to watch for in messages like this.
9 WAYS SCAMMERS CAN USE YOUR PHONE NUMBER TO TRY TO TRICK YOU
1) The phone number makes no sense
The message comes from a number with a +63 country code. That is the Philippines, not California. Government agencies in the U.S. do not send official legal notices from international numbers. That alone is a major warning sign.
2) No name, just “Dear Driver”
Legitimate notices from a DMV or court almost always include your full name or at least some identifying information. “Dear Driver” is vague on purpose. It allows scammers to send the same message to thousands of people.
3) The link isn’t a real DMV website
The message includes this link:
ca.mnvtl.life/dmv
That isn’t a government domain. Official DMV websites in California use “.ca.gov” or similar trusted domains. Scammers often create lookalike links to trick you into clicking.
4) Urgency and threats
The message pushes you to act quickly with a deadline. It lists consequences like license suspension and extra charges. Scammers rely on fear. When you feel rushed, you are more likely to click without thinking.
FBI WARNS OF DANGEROUS NEW ‘SMISHING’ SCAM TARGETING YOUR PHONE
5) Asking you to reply to proceed
The text says to reply with “Y” to get instructions. That is another trap. Responding confirms your number is active, which can lead to more scam messages.
6) Generic language and odd phrasing
Parts of the message feel slightly off. The tone is formal but not quite right. That subtle awkwardness is common in scam messages sent to large groups of people.
7) Overloaded threats designed to scare you
The message piles on consequences like license suspension, added fees, court action and even credit damage. In this case, it even mentions a license suspension and a $160 late payment charge. That combination is meant to overwhelm you and push you to act fast. Real agencies usually provide clear, specific notices, not a long list of escalating threats in a single text.
INSIDE A SCAMMER’S DAY AND HOW THEY TARGET YOU
Scam texts like this often arrive out of nowhere and try to create urgency before you have time to question them. (Kurt “CyberGuy” Knutsson)
What this means for you
Even if you have never driven in California, you could still receive this message. Scammers cast a wide net and hope someone takes the bait. If you click the link, you could be taken to a fake payment page. That page may ask for your credit card details, personal information or login credentials. In some cases, it can also install malware on your device or redirect you to credential-stealing pages. This isn’t about a ticket. It is about getting your data. State DMVs typically do not send final legal notices or payment demands by text message.
Why these scams keep working
These messages work because they tap into something most people fear. Legal trouble, fines and losing driving privileges. They also look just real enough to pass a quick glance. That is all scammers need. As more services move online, these scams will continue to evolve.
Unlike typical DMV scams, this message impersonates a court and escalates the threats to make the situation feel more serious (Kurt “CyberGuy” Knutsson)
Ways to stay safe from traffic ticket text scams
Start with a simple rule. Never trust a payment request that shows up out of nowhere. Here are practical steps you can take:
1) Do not click the link
If you are unsure, do not tap anything in the message. That includes links and reply options.
2) Use strong antivirus software
If you accidentally click a link, strong antivirus software can help detect malware and protect your data. Get my picks for the best 2026 antivirus protection winners for your Windows, Mac, Android & iOS devices at Cyberguy.com
3) Verify directly with the DMV
Go to your state’s official DMV website by typing it yourself into your browser. Do not use the link in the text.
4) Check the sender carefully
Look at the phone number. International numbers or random strings are a clear warning sign.
5) Ignore generic greetings
Real notices will usually include your name or case details. Vague language is a red flag.
6) Consider a data removal service
Scammers often get your number from data broker sites. Removing your personal info from those databases with a data removal service can reduce these messages. Check out my top picks for data removal services and get a free scan to find out if your personal information is already out on the web by visiting Cyberguy.com
7) Block and report the number
On your phone, block the sender and report it as spam. This helps reduce future attempts.
8) Turn on spam filtering
Enable spam filtering on your phone or through your carrier to catch more of these messages before they reach you.
Kurt’s key takeaways
Todd did the right thing. He paused, questioned the message and did not click. That one decision likely saved him from handing over personal information. When it comes to messages like this, skepticism is your best defense. If something feels off, trust that instinct.
Should phone carriers and tech companies be doing more to block scams like this before you ever see them? Let us know by writing to us at Cyberguy.com
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Sign up for my FREE CyberGuy Report
- Get my best tech tips, urgent security alerts and exclusive deals delivered straight to your inbox.
- For simple, real-world ways to spot scams early and stay protected, visit CyberGuy.com – trusted by millions who watch CyberGuy on TV daily.
- Plus, you’ll get instant access to my Ultimate Scam Survival Guide free when you join.
Copyright 2026 CyberGuy.com. All rights reserved.
Honda revealed prototypes of two new hybrid models, an Accord sedan and the Acura RDX SUV, during its annual business briefing this week, built on a platform that it says will begin launching next year. The RDX was announced earlier this year as Honda’s first SUV to feature the next-gen version of its two-motor hybrid system.
In March, Honda announced it would take a writedown of up to 2.5 trillion yen ($15.7 billion) on its EV investments. Now Honda says its EV-related losses will be “resolved” by 2029, and that it will reevaluate its EV plans in 2030.
-
South Dakota11 minutes agoSouth Dakota Highway Patrol: slow down, stay alert as summer traffic picks up
-
Tennessee17 minutes agoDemocratic Rep. Steve Cohen drops reelection bid in wake of Tennessee redistricting
-
Texas23 minutes agoTexas primary runoff: Key races on the May 26 ballot
-
Utah29 minutes agoUtah Weather: Increasing wind and fire dangers this weekend with a colder and wetter pattern arriving Sunday
-
Vermont35 minutes agoRoute 110 guardrail damaged in Vermont – Valley News
-
Virginia41 minutes agoHyperfest fires up Virginia International Raceway with three days of car chaos
-
Wisconsin53 minutes agoNational Media Continues to Disrespect Wisconsin in Updated Offseason Rankings
-
West Virginia59 minutes agoTeamsters say no talks scheduled with The Beverage Market – WV MetroNews