Vegeris, a technology engineer at Evolution Gaming, cautioned that the ‘teams.microsoft.com’ domain could be exploited by a novel cross-site scripting (XSS) loophole to cause a remote code execution bug in the Microsoft Teams desktop framework. Microsoft Teams, which compete with Slack and Zoom in the business space, has nearly 115 million regular active users and is broadly distributed as part of the Office 365 family of products by Microsoft. The team is a proprietary platform for enterprise collaboration that offers workspace chat, file storage and sharing, convergence with applications, and video conferencing features for customers. An attacker merely needs to deliver a specially designed message to any Team’s user or channel, according to an advisory released by Vegeris, to unleash a successful exploit that runs quietly in the background, without realizing something by the userOskars Vegeris Published. Remote Code Execution has been accomplished across all supported platforms in desktop applications (Windows, macOS, Linux). Code execution allows attackers to complete access via certain systems to victim devices and business internal networks, Vegeris warned. He said that the XSS bug could be exploited by an attacker to acquire SSO permission tokens for teams or other Microsoft programs, or to access private conversations and communications service data. On top of that, the flaw is wormable, allowing an effective attacker, even without contact, to immediately transmit the exploit payload to other users/channels. The efficient exploiting of the bug could theoretically give outside teams access to private keys and personal data, likely revealing information from the internal network and enabling opponents to set up phishing attacks. Vegeris states that remote code execution will only be done if the XSS in teams.microsoft.com (functionality of user ‘mentions’) is chained with the latest cross-platform hack for the desktop clients of Teams. The security researcher, who gives technical specifics of the bug and demonstrates how it can be abused, argues that Microsoft has downplayed the seriousness of the vulnerability and allocated a “important risk to a “spoofing” rating. He said Microsoft put “out of scope” the Teams desktop clients and advised the investigator that it did not release a CVE number for the vulnerability because automated fixes correct bugs in Microsoft Teams. Affected goods include Microsoft Teams v 1.3.00.23764 for macOS, 1.3.00.21759 for Windows, and 1.3.00.16851 for Linux. The business has fixed the vulnerability already.
