Flaw finder disputes Microsoft’s ‘spoofing’ designation

UPDATED A security researcher has gone public with a chain of vulnerabilities in Microsoft Teams they claim could have allowed an attacker to plant malicious code into systems simply by tricking a target into viewing a maliciously crafted chat message.

Oskars Vegeris found and reported the cross-platform bugs to Microsoft at the end of August. The tech giant addressed the issue at the end of October through an automated update.

Microsoft Security Response only identified the vulnerabilities as “important, spoofing” – a designation that Vegeris strongly disagreed with for reasons explained in a technical write-up that includes an exploit demonstration, posted to GitHub on Monday.

Catch up on the latest security vulnerabilities news

Microsoft reportedly admitted that the flaw could have more serious implications beyond spoofing, but only in the case of its desktop app, while Vegeris argues that the issue extends beyond Windows.

The researcher discovered that a stored cross-site scripting (XSS) flaw present in the Teams ‘@mentions’ function might be combined with a JavaScript-based exploit to booby-trap a chat message and achieve remote code execution (RCE) in desktop applications across all supported platforms.

The exploit relies on a sandbox escape and CSP (Content Security Policy) bypass and abuse of the Microsoft Teams API amongst other trickery.

The vulnerabilities are cross-platform – affecting Windows, Mac, and Linux versions of Teams as well as the web client (teams.microsoft.com) – and, worse yet, potentially wormable, according to Vegeris.

“Even without arbitrary code execution on [the] victim device, with the demonstrated XSS it’s possible for an attacker to obtain SSO [single sign-on] authorisation tokens for Microsoft Teams and other Microsoft Services (e.g. Skype, Outlook, Office365),” Vegeris warned in his initial bug report. “Furthermore, the XSS vulnerability by itself allows [attackers] to access confidential / private conversations, files etc. from within MS Teams.

“These attacks could be performed by guest users completely silently with no user interaction or indications of compromise,” he added.

Microsoft declined to assign a CVE for the vulnerability because the issue was resolved without user interaction through an automated update, it told Vegeris. It recognised the chain of bugs as in scope for its O365 cloud bug bounty program, but only at the lowest in-scope classification, much to Vegeris’ chagrin.

The security researcher claims to have uncovered four other, as yet publicly undisclosed, one or zero-click RCE exploit chains in Microsoft Teams.

Microsoft is sticking by its initial designation and keen to emphasize that the issue has was, as far as it's concerned at least, resolved some weeks ago.

“We mitigated the issue with an update in October, which has automatically deployed and protected customers,” Microsoft told The Daily Swig.

Lights, camera, video conferencing

As more people have been obliged to work from home because of the coronavirus pandemic, video conferencing and collaboration apps have become an important means to keep businesses ticking over and usage has skyrocketed. Security researchers have increased their scrutiny of these apps as a consequence and the results have not always been pretty.

Vegeris discovered a similarly serious flaw in the desktop version of Slack in August, around the same time he uncovered security shortcomings in Microsoft Teams.

The security researcher told The Daily Swig that the Microsoft Teams vulnerability was the more serious of the two.

He explained: “I think it's more severe simply because it is zero interaction, therefore you cannot really avoid it, since messages are the whole purpose of Microsoft Teams.”

Microsoft resolved a separate RCE vulnerability in Teams (CVE-2020-17091), credited to security researcher Matt Austin, last month.

This story was updated to add comment from Microsoft

YOU MAY ALSO LIKE Slack vulnerability allowed attackers to smuggle malicious files onto victims’ devices