CVE CyberSecurity Database News

CVE-2024-43492 - How Microsoft AutoUpdate (MAU) Left Macs Wide Open for Attackers

Poster -

If you’re a Mac user running Microsoft Office products, a recent vulnerability called CVE-2024-43492 may put your system at risk. This post breaks down what the flaw is, how it works, and what you need to do to stay safe from attackers. We’ll go over the technical details with easy explanations, show some code snippets, and give you direct links to trustworthy sources.

What is CVE-2024-43492?

CVE-2024-43492 is a security hole categorized as an *Elevation of Privilege* (EoP) vulnerability in Microsoft AutoUpdate (MAU) for macOS. Microsoft AutoUpdate is a tool that helps keep Office for Mac, Edge, and other Microsoft apps up to date on your Mac.

This vulnerability allows a local attacker (someone who already has access to your computer) to run commands with system-level (root) privileges, instead of just with your regular user rights. In simple terms, if someone can take advantage of this, they could control your whole Mac — install malware, steal data, or change system settings without your knowledge.

Official Reference

- Microsoft Security Guide for CVE-2024-43492
- NVD - CVE-2024-43492

How Could This Happen?

When Microsoft AutoUpdate installs updates, it runs certain processes with elevated privileges using a privileged helper tool. If the process for updating isn't secured properly (for example, if file permissions or communication channels are weak), a regular user can trick the updater into running their own code as root.

This type of bug is known as a *privilege escalation* vulnerability because it lets attackers go from normal access (limited powers) to root (unlimited powers).

Attacker is local: They’ve got standard (non-admin) shell or account access on your Mac.

2. They plant a malicious file or script in a place the updater will look (e.g., replacing a file used by the updater with a hard link to something the attacker controls).

Proof-of-Concept (PoC) Snippet

NOTE: This is for educational purposes only! Never exploit systems you do not own.

Below is a simplified bash script mimicking how an attacker could hijack permissions using a malicious script in a writable directory checked by MAU:

#!/bin/bash

# Example path MAUHelper uses; replace with actual on your machine
AUTOMATIC_UPDATE_PATH="/Library/Application Support/Microsoft/MAU2./Microsoft AutoUpdate.app/Contents/MacOS"

# Malicious payload that will be executed as root
echo '#!/bin/bash' > /tmp/evil.sh
echo 'touch /tmp/i_am_root' >> /tmp/evil.sh
chmod +x /tmp/evil.sh

# Replace a legitimate update script or create a symlink
ln -sf /tmp/evil.sh "$AUTOMATIC_UPDATE_PATH/update_script"

# Now, when MAU runs "update_script" with root, it executes attacker's code
# After exploitation, /tmp/i_am_root

Depending on which script or binary the AutoUpdate agent actually runs as root, the attacker would aim for that exact file.

Intercept any data (including passwords or personal files)

For an organization, this could mean an attacker gaining full control over employee Macs, bypassing company security.

Mitigation and Patch

Microsoft released security updates to fix this bug. If you’re not patched, you’re vulnerable!

Make sure you have AutoUpdate version 4.76. or later.

Update as soon as possible. If you’re in a managed environment, ask your IT. If your Mac is personal, do it now.

More Technical References

- Original Microsoft Security Guide
- Mac Admins Slack Community Discussion *(search for CVE-2024-43492)*
- Microsoft AutoUpdate for Mac – Office Updates

Final Thoughts

This vulnerability teaches us that even trusted, auto-updating apps can become attack vectors if they handle permissions poorly. Regular users need to keep everything updated. Organizations must monitor vulnerable software and educate their people about local threats, not just malware and phishing!

Timeline

Published on: 09/10/2024 17:15:36 UTC
Last modified on: 10/09/2024 01:26:17 UTC