Security News > 2020 > December > When is a remote-code-execution bug in Teams not an RCE? When Microsoft says it isn't, flaw finder discovers

At some point since August, Microsoft quietly fixed a cross-site scripting bug in its Teams web app that opened the door to a serious remote-code-execution vulnerability in the Linux, macOS, and Windows desktop versions of its Teams collaboration app.

The security researcher who identified the issue suggests Microsoft should have done more to acknowledge the risk, noting that Microsoft didn't bother to publish details or obtain Common Vulnerabilities and Exposures identifiers for the flaws because Teams gets automatically updated.

Vegeris claims the Teams vulnerability could be exploited for "Zero-click, wormable, cross-platform remote code execution." Using an XSS bug in Microsoft's Teams web app, an attacker could send or edit a Teams message that executed arbitrary code when the message was viewed.

Even without utilizing the RCE in the Teams desktop apps, Vegeris contends that the web app XSS allowed an attacker to grab Single Sign-On auth tokens from Teams and other Microsoft services like Office 365, Outlook, and Skype and to access confidential conversations and files within Teams.

Another bug hunter thanked in Slack's post on the subject, Matt Austin, director of security research at Contrast Security, told The Register in a phone interview in August that he was aware of an RCE bug affecting Teams that had remained unfixed for over a year.

News URL

https://go.theregister.com/feed/www.theregister.com/2020/12/07/microsoft_teams_rce_flaw/