Microsoft Teams Flaw Left User Vulnerable when Opening Conversations

Exploration did not require any authorization or confirmation – just reading the chat was enough to attack the computer. The problem affected the Windows, macOS and Linux versions of Teams. In the web version, the impact would be restricted to Teams itself.

Microsoft about the error on August 31. The problem has already been fixed, but it was not reported exactly when the fix went live.

In a text published on the web with the technical details of the vulnerability, Vegeris criticized Microsoft for taking too long to address the issue – according to the researcher, Microsoft took “weeks” to respond to each of his messages. But the expert also disagreed with Microsoft’s assessment of the seriousness of the problem.

In Microsoft’s opinion, this is a low-risk loophole that allows only “spoofing” (technical jargon for when the authorship of a communication is falsified).

But Vegeris understands that this classification is incomplete, since the problem allows code to be executed directly on the computer of those using the desktop versions of Teams (outside the web browser). Loopholes that result in code execution are usually considered the most serious.

Microsoft‘s assessment of the severity of the failure was based on the company’s “bug bounty” program, which pays researchers for reports of vulnerabilities.

Under the program’s rules, Microsoft Teams, when run directly on the computer, is “out of scope”, that is, it is not taken into account by the same rewards program that pays for failures in “cloud” services in Office.

For this reason, the impacts of the vulnerability have been divided between two different classifications.

When exploited in the “web” version of Teams, the breach is not able to execute code on the computer – unless there is also a vulnerability in the victim’s browser, which would be unrelated to Teams.

Thus, under the Microsoft rewards program, the gap is more limited than in a scenario of attacking users with the Teams app installed.

Because it is located on Microsoft‘s services infrastructure, the loophole has also not gained a catalog number. Security breaches are cataloged using numbers known as “CVEs”.

For Microsoft, any breach in a fully automatic update service will not receive a CVE. What justifies this decision is that users do not need to take specific measures – in the same way as any web service, such as social networks or webmail, which traditionally do not receive CVEs.

Because of these factors, the most serious effect of the problem reported by Oskars Vegeris did not earn him a cash prize from Microsoft, but only “points” that are worth to establish his position on a “scoreboard” of the independent experts who contribute most to the security of the company’s software.

Reviewer overview

Microsoft Teams Flaw Left User Vulnerable When Opening Conversations - /10

Summary

0 Bad!