Last Updated on 15/12/2020 by Drashti
A security researcher named Oskars Vegeris went public with a chain of vulnerabilities that he said could have allowed an intruder to plant malicious code into systems simply by tricking a target into displaying a maliciously designed chat message.
At the end of August, Oskars Vegeris discovered and documented the cross-platform bugs to Microsoft.
The vulnerability affected features such as direct messages and channels in Microsoft Teams and would have allowed hackers to remotely execute arbitrary code and spread infection by simply sending a specially designed, innocuous message.
The vulnerability was, however, only patched in October, with Vegeris pointing out that the bug was not even given a CVE tag by Microsoft. This tag serves as a guide for vulnerabilities and exposures to publicly established security and lets impacted users more quickly find details about the danger.
Luckily, the bug was later patched, but just a few months after it was first reported to Microsoft.
Users of Microsoft Teams were alerted to the hacking vulnerability that was found in the desktop app chat system.
As reported in the IT Pro post, the flaw of Microsoft Teams was a worm-like, zero-click flaw-meaning no user intervention was necessary for an attack to take place and could continue to spread.
It was found that the Remote Code Execution (RCE) vulnerability can be triggered by a novel Cross-Site Scripting (XSS) injection in teams. microsoft[.]com, which affects the MS Teams desktop application across all supported platforms – Windows (version 1.3.00.21759), macOS (version 1.3.00.23764), and Linux (1.3.00.16851).
In addition, the attacker could exploit the XSS vulnerability to acquire SSO authorization tokens for Microsoft Teams or its other services, such as Skype, Outlook and Office365, without obtaining arbitrary code execution.
According to the researcher, “The consequences of infection ranged from complete loss of confidentiality and integrity for victims, to access to private communications, internal networks, private keys as well as personal data outside of Microsoft Teams.”
Microsoft Security Response only described vulnerabilities as “important, spoofing” – a designation that Vegeris strongly disagreed with for reasons clarified in a technical write-up that included an exploit demonstration posted to GitHub on Monday.
To Make sure that you aren’t a prey for the predator, update your Microsoft Teams with the patches released by Microsoft in October.
