Use Word, Excel or other Microsoft Office apps on macOS? Hackers can exploit these new flaws to spy on your Mac
New security flaws can be exploited by hackers but only with the right permissions
If you use trusted software from reputable brands with one of the best MacBooks, you’re less likely to have a run-in with hackers. However, that isn’t always the case, since security flaws in popular software can be exploited by hackers in their attacks.
As reported by The Record, security researchers at Cisco Talos have found eight new vulnerabilities in one of the most popular software suites around: Microsoft Office. If leveraged by an attacker, these flaws in Word, Excel, PowerPoint, OneNote, Outlook and even Microsoft Teams could be used to gain access to your Mac’s microphone, camera, folders and more.
Here’s everything you need to know about these new vulnerabilities along with which ones Microsoft has fixed so far, plus some tips and tricks on how you can keep your Mac and your data safe from hackers.
Weaponizing existing app permissions
Serious flaws in software as popular as Microsoft Office might sound like cause for alarm but fortunately, hackers can only use these vulnerabilities in their attacks if potential victims have granted these apps certain permissions beforehand.
In a blog post, Cisco Talos’ researchers explain that a Mac user needs to have already given the apps that make up Microsoft Office and Microsoft Teams permission to access device resources for this attack to work. However, if they have, hackers could gain unauthorized access to their Mac’s microphone and camera to secretly record audio or video without their knowledge. They could also record a victim’s screen as well as any keystrokes they typed.
All eight of these vulnerabilities are linked to a technique known as library injection which macOS defends against using Apple’s Hardened Runtime. This restricts risky libraries from loading as they could contain malicious code or malware.
Due to the fact this security feature can prevent some apps from working as intended, Apple provides a workaround which can be used to add an entitlement to particular apps that allows developers to disable certain protections. While this will ensure an app runs as it should, these additional entitlements can also be abused by hackers.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
In Microsoft’s case, the entitlements in its apps allow them to load plug-ins that are signed by third-party developers. As Cisco points out in its research into the matter though, the only such plug-in available for the software giant’s macOS apps are web-based “Office add-ins.”
Even though Microsoft has classified these vulnerabilities as low risk, it has already updated its Teams and OneNote apps for macOS. However, Excel, Outlook, PowerPoint and Word haven’t been patched yet but that could change.
How to keep your Mac safe from hackers
Normally, I would warn you about downloading risky apps or files but in this case, you could still be at risk even if you’re extremely careful online. As such, the best and easiest way to protect yourself against any attacks leveraging these vulnerabilities is to keep your Mac and the software on it updated.
Software updates can certainly be annoying but as hackers often prey on users running outdated apps, it’s worth the extra time to routinely check for new updates and to install them as soon as they become available. Since Microsoft hasn’t updated its most popular Office apps yet though, there are some other steps you can take in the meantime.
While your Mac comes with built-in security software in the form of XProtect, you should also consider using one of the best Mac antivirus software solutions alongside it. Paid antivirus software is updated more regularly to protect you from the latest threats and you often get access to extras like a VPN or password manager to help keep you even safer online.
We’ve reached out to Microsoft for comment on these vulnerabilities and we will update this piece if and when we hear back. Until then though, you want to make sure that your Microsoft apps are up to date and if a patch is made available, you want to install it as soon as possible.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.