Security News > 2020 > December > Wormable, Zero-Click Vulnerability in Microsoft Teams
Security researcher Oskars Vegeris has published documentation on a wormable, cross-platform vulnerability in Microsoft Teams that could allow invisible malicious hacker attacks.
Microsoft.com' domain could be abused to trigger a remote code execution flaw in the Microsoft Teams desktop application.
He said an attacker could abuse the XSS flaw to obtain SSO authorization tokens for Teams or other Microsoft services, or to access confidential conversations and files from the communications service.
He said Microsoft took the Teams desktop clients "Out of scope" and told the researcher it wouldn't issue a CVE number for the flaw, because vulnerabilities in Microsoft Teams are fixed via automatic updates.
Affected products include Microsoft Teams for macOS v 1.3.00.23764, Windows v 1.3.00.21759, and Linux v 1.3.00.16851.
News URL
Related news
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Microsoft Reveals macOS Vulnerability that Bypasses Privacy Controls in Safari Browser (source)
- CISA Warns of Active Exploitation of Microsoft SharePoint Vulnerability (CVE-2024-38094) (source)
- Black Basta poses as IT support on Microsoft Teams to breach networks (source)
- Black Basta ransomware poses as IT support on Microsoft Teams to breach networks (source)
- Researchers Uncover OS Downgrade Vulnerability Targeting Microsoft Windows Kernel (source)
- Black Basta operators phish employees via Microsoft Teams (source)
- Week in review: Windows Themes spoofing bug “returns”, employees phished via Microsoft Teams (source)
- Microsoft Ignite 2024 Unveils Groundbreaking AI, Security, and Teams Innovations (source)