The nature of the flaw in Microsoft Teams allows performing an attack in which the recipient of a message does not need to perform any sort of action \u2013 exploitation will occur just by reading it. And what comes as a real surprise is a fact that the zero-click remote code execution vulnerability did not receive a CVE. Considering how many companies rely on MS Teams as a collaboration software, it is extremely important that organizations prioritize patching this vulnerability. And not giving it a CVE sends a bad message.<\/p>\n\n\n\n\n\n\n\n
Security engineer, Oskars Vegeris from Evolution Gaming disclosed technical details about a wormable, cross-platform bug in Microsoft Teams that could allow stealth attacks.<\/p>\n\n\n\n
The flaw is a cross-site scripting (XSS) issue that impacts the \u2018teams.microsoft.com\u2019 domain. It could be exploited by an attacker to achieve remote code execution in the MS Teams desktop app.<\/p>\n\n\n\n
A crook could exploit the flaw by sending a specially crafted message to any Microsoft Teams user or channel which will execute arbitrary code on victim PC\u2019s with NO USER INTERACTION.<\/p>\n\n\n\n
Remote Code Execution has been achieved in desktop applications across all supported platforms (Windows, macOS, Linux). It gives attackers full access to victim devices and company internal networks via those devices<\/p>\n\n\n\n
Even without gaining arbitrary code execution, the attacker could exploit the XSS flaw to obtain SSO authorization tokens for MS Teams or other Microsoft services (e.g. Skype, Outlook, Office365). The issue could also allow attackers to access confidential conversations and files from the communications service.<\/p>\n\n\n\n
The researcher pointed out that the attack is stealth so it doesn\u2019t require any user interaction and there are no indicators of compromise for this attack. The flaw is also \u2018wormable,\u2019 this means that it is possible to automatically repost the exploit payload to other companies, channels, users without interaction<\/p>\n\n\n\n
Successful exploitation could cause complete loss of confidentiality and integrity for end-users, attackers could access sensitive info into private chats, files, internal network, along with private keys and personal data outside MS Teams<\/p>\n\n\n\n
Unfortunately, IT giant rated the issue \u201cImportant, Spoofing\u201d which is one og the lowest in-scope ratings possible. Wouldn\u2019t even issue a CVE number for the vulnerability, because issues in Microsoft Teams are fixed via automatic updates.<\/p>\n\n\n\n
If you want 100% warranty that your SaaS data is protected, consider Office 365 backup<\/a> and even today join Xopero Beta Testing Community<\/a>. <\/p>\n\n\n\n