CVE-2024-41145
📋 TL;DR
A library injection vulnerability in Microsoft Teams for macOS allows malicious applications to inject code into the WebView.app helper process. This enables privilege escalation by leveraging Teams's access permissions. Only macOS users running the specific vulnerable version of Microsoft Teams (work or school) are affected.
💻 Affected Systems
- Microsoft Teams (work or school)
📦 What is this software?
Teams by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise through privilege escalation, allowing attackers to access sensitive data, install persistent malware, or pivot to other systems.
Likely Case
Local privilege escalation enabling unauthorized access to Teams data, system resources, or user files that Teams can access.
If Mitigated
Limited impact with proper application sandboxing and security controls preventing malicious application execution.
🎯 Exploit Status
Requires a malicious application to be installed and executed on the target system first. The vulnerability is in the library loading mechanism of the WebView.app helper.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Microsoft Teams auto-update or version > 24046.2813.2770.1094
Vendor Advisory: https://talosintelligence.com/vulnerability_reports/TALOS-2024-1990
Restart Required: Yes
Instructions:
1. Open Microsoft Teams. 2. Click on your profile picture. 3. Select 'Check for updates'. 4. Install any available updates. 5. Restart Teams completely.
🔧 Temporary Workarounds
Disable automatic library loading
macOSConfigure macOS to restrict library loading from untrusted locations
sudo spctl --master-enable
sudo spctl --enable --label "Developer ID"
Restrict Teams permissions
macOSReduce Teams's system permissions through macOS Privacy settings
🧯 If You Can't Patch
- Restrict user privileges to prevent installation of unauthorized applications
- Implement application allowlisting to control which applications can run on macOS systems
🔍 How to Verify
Check if Vulnerable:
Check Teams version: Open Teams → Click profile picture → About → Check if version is 24046.2813.2770.1094Check Version:
defaults read /Applications/Microsoft\ Teams.app/Contents/Info.plist CFBundleShortVersionStringVerify Fix Applied:
Verify Teams version is updated beyond 24046.2813.2770.1094 and check for recent update history📡 Detection & Monitoring
Log Indicators:
- Unusual library loading in Teams process
- Suspicious child processes spawned from Teams
- Teams accessing unexpected system resources
Network Indicators:
- Teams making unexpected network connections after library injection
SIEM Query:
process_name:"Microsoft Teams" AND (event_type:"library_load" OR parent_process:"WebView.app")