Security News > 2020 > December > Wormable, Zero-Click Vulnerability in Microsoft Teams
Security researcher Oskars Vegeris has published documentation on a wormable, cross-platform vulnerability in Microsoft Teams that could allow invisible malicious hacker attacks.
Microsoft.com' domain could be abused to trigger a remote code execution flaw in the Microsoft Teams desktop application.
He said an attacker could abuse the XSS flaw to obtain SSO authorization tokens for Teams or other Microsoft services, or to access confidential conversations and files from the communications service.
He said Microsoft took the Teams desktop clients "Out of scope" and told the researcher it wouldn't issue a CVE number for the flaw, because vulnerabilities in Microsoft Teams are fixed via automatic updates.
Affected products include Microsoft Teams for macOS v 1.3.00.23764, Windows v 1.3.00.21759, and Linux v 1.3.00.16851.
News URL
Related news
- Microsoft Uncovers macOS Vulnerability CVE-2024-44243 Allowing Rootkit Installation (source)
- Ransomware attackers are “vishing” organizations via Microsoft Teams (source)
- Ransomware gangs pose as IT support in Microsoft Teams phishing attacks (source)
- Week in review: 48k Fortinet firewalls open to attack, attackers “vishing” orgs via Microsoft Teams (source)
- Microsoft Teams phishing attack alerts coming to everyone next month (source)
- Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score (source)
- If you dread a Microsoft Teams invite, just wait until it turns out to be a Russian phish (source)
- Microsoft Patches Actively Exploited Power Pages Privilege Escalation Vulnerability (source)
- Microsoft's End of Support for Exchange 2016 and 2019: What IT Teams Must Do Now (source)
- New Microsoft 365 outage impacts Teams, causes call failures (source)