Microsoft won't fix these serious Teams security flaws — what you need to know

(Image credit: Getty Images)

Remember the Microsoft Teams flaw from a couple of weeks ago that didn't let Google Pixel users call 911? It turns out there are at least four security flaws in Microsoft'southward business-collaboration service, including i that could transport yous to malware or phishing websites, and Microsoft has fixed but i of them.

Russian information-security business firm Positive Technologies chronicled this saga in a blog mail service Tuesday (December. 22), explaining that two of the new vulnerabilities are specific to Android while the two others apply to all operating systems.

Poisoned image previews

The worst vulnerability lets an aggressor swap in a malicious URL, or web link, for the legitimate i when Teams displays a thumbnail preview image. This works in Windows, Mac, iOS and Linux too every bit Android.

Using a mutual network-traffic-intercept tool, Positive Technologies' Fabian Bräunlein made a video prune demonstrating how he substituted a Google link into what appeared to be a Bing link — two domains that would non ordinarily have anything to practise with each other.

"When clicking the preview, a unlike link is opened than what was expected by the user," Bräunlein wrote in the web log post. "This can be used either for improved phishing attacks, or to hide malicious links."

Microsoft was told of all these flaws by Positive Technologies in March of 2021, but the operating-organization maker responded that this item vulnerability "does not pose an immediate threat that requires urgent attention because one time the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it's not the one the user was expecting."

Obviously Microsoft'southward Teams team has never seen a really disarming phishing website.

Spilling the beans

Ii of the other flaws reveal data virtually the other parties on a Squad call that should exist kept private.

The showtime, which Positive Technologies says Microsoft has now patched, lets an attacker send a "specially crafted link preview" to get another person'due south Cyberspace Protocol (IP) address if the other person views a Teams conversation from an Android device.

That data past itself is non terribly malicious, but having the other party's IP address could let the attacker mount attacks on that user by other means. This flaw was quietly patched fifty-fifty after Microsoft dismissed it equally another issue that "does not pose an immediate threat."

The second is more of a problem for Microsoft itself. Bräunlein establish that with some clever coding, which he'southward non revealing, he could go sensitive information most the Microsoft server hosting a Teams chat.

According to Bräunlein, this "tin be used for internal port scanning and sending HTTP-based exploits to the discovered spider web services," but Microsoft declined to fix it and gave Positive Technologies permission to hash out it publicly.

Start, crash, echo

The concluding flaw is merely abrasive. It lets an attacker (or maybe just a prankster) crash the Teams Android app by sending an invalid image-preview link, or what Bräunlein entertainingly calls the "Message of Expiry." All you lot need to do is put something that's non a legitimate weblink in the space where one should be.

"The app keeps crashing when trying to open the conversation/channel with the malicious message, which makes the chat/channel unusable for Android users," Bräunlein wrote.

Microsoft told Positive Technologies "that this issue does not require immediate security service" and that a set "will be considered in a future version" of Teams.

Asked about the Positive Technologies report by Threatpost, Microsoft said that "nosotros've investigated all four reports and take concluded that they practice not pose firsthand threats requiring a security fix."

"We've received like reports in the past and have made several recent improvements to the handling of data and security in full general," Microsoft added.

The moral of this story is: Maybe don't run Teams on Android, and be very careful about which image links you click in Teams on all platforms.

You'll also want to run some of the best antivirus software for Windows, Mac, Android and even iOS (where information technology's just security software) to make sure malicious links are blocked systemwide.

Paul Wagenseil is a senior editor at Tom'due south Guide focused on security and privacy. He has as well been a dishwasher, fry cook, long-haul driver, lawmaking monkey and video editor. He's been rooting around in the information-security space for more than fifteen years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown upwardly in random Television news spots and even moderated a panel give-and-take at the CEDIA dwelling house-technology briefing. You tin follow his rants on Twitter at @snd_wagenseil.

Source: https://www.tomsguide.com/news/microsoft-teams-four-flaws

Posted by: trueloveafrown.blogspot.com

Microsoft won't fix these serious Teams security flaws — what you need to know