Researcher Discloses Microsoft Teams Vulnerability on macOS

Security researchers at Quarkslab have uncovered a significant vulnerability in Microsoft Teams for macOS, potentially allowing attackers to gain unauthorized access to users' cameras and microphones.

The flaw, detailed in a blog post, affects both older versions and the latest release of Microsoft Teams (Version 24152.405.2925.6762 at the time of writing), raising concerns about privacy and security for millions of users worldwide.

Quarkslab noted that the vulnerability was discovered during a Purple Team engagement, where researchers simulated an attacker's perspective after gaining remote access to a macOS machine.

Leveraging only tools available on the compromised system, the team conducted static and dynamic analyses of the Microsoft Teams application, ultimately identifying a security weakness that could be exploited to capture video and audio streams without user consent.

The root cause of the vulnerability was a misconfiguration in the Microsoft Teams application package. The researchers found that a binary named 'vcxpc' within the package had its "Disable Library Validation Entitlement" set to True. 

This setting effectively bypasses macOS's library validation checks, allowing the loading of arbitrary libraries without verifying their code signatures – a critical security feature typically enforced by macOS's Hardened Runtime.

After going deeper into the application's structure, the Quarkslab team identified an issue with library loading commands LC_LOAD_DYLIB referencing relative paths. Specifically, they discovered a path traversal vulnerability that could be exploited to load malicious libraries from the /Applications directory.

Researchers have also developed a proof-of-concept exploit to demonstrate the flaw's severity. This exploit comprised a malicious library and a launch agent that periodically executed the vulnerable 'vcxpc' binary. When successful, the exploit could trigger camera recording without any visible indication to the user, potentially leading to severe privacy breaches.

The proof-of-concept also incorporated a persistence mechanism. If a user initially denied camera access, the exploit would repeatedly request permissions every 60 seconds – a technique reminiscent of MFA fatigue attacks – until access was granted. Once permitted, the exploit could silently record video at regular intervals, with the attacker only needing to exfiltrate the captured footage periodically.

The security firm reported the vulnerability to Microsoft on July 23, 2024. Microsoft acknowledged and reproduced the issue by August 21, 2024. However, the resolution process faced some communication challenges, with Microsoft initially closing the case prematurely and later declining to assign a CVE identifier.

Despite Microsoft claiming the vulnerability was fixed, Quarkslab's attempts to obtain specific information about the patch release and corresponding security bulletins were unsuccessful. Microsoft's lack of clear communication regarding the fix's status and public disclosure led Quarkslab to publish its findings on October 8, 2024.