The Cisco Talos group, which specializes in malware protection, has published a new report that disclosed a vulnerability in Microsoft’s macOS programs. This was reported by 9to5Mac.

A vulnerability in Microsoft Teams and Outlook allows attackers to gain access to a computer’s camera and microphone without the user’s consent. The vulnerability is exploited by downloading malicious libraries into Microsoft applications to gain the same rights and permissions that users have granted to these programs.

MacOS has a Transparency Consent and Control (TCC) protocol that focuses on regulating app permissions, such as access to the camera, microphone, and others. Each program needs the right to request permission from TCC, and if this right is not present, then there will not even be a window requesting access. However, the vulnerability allows attackers to use the same permissions that were granted to Microsoft programs.

Almost all Microsoft programs for macOS, except Excel, request access to the microphone, and some also request access to the camera. Using these permissions, attackers can record audio and video and take photos without the user’s knowledge.

The Cisco Talos team says that Microsoft is aware of this vulnerability, but considers its risk to be low, as attackers need to download unsigned libraries for third-party plug-ins to exploit it.

Despite this, the company released an update for Microsoft Teams and OneNote on macOS, changing how the programs handle library check permission, but other programs such as Excel, PowerPoint, Word, and Outlook did not fix the vulnerability.