Microsoft Teams may have downplayed a disastrous security issue

Microsoft Teams
(Image credit: Shutterstock / Ink Drop)

Microsoft has been accused of downplaying the severity of a security issue found in its collaboration platform Teams, which was remedied quietly back in October.

According to a report from security engineer Oskars Vegeris, the company failed to warn users of the problem and neither did it seek Common Vulnerabilities and Exposures (CVE) classification, on the grounds that Teams patches are installed automatically.

Roughly one month after disclosure, the cross-site scripting (XSS) vulnerability was classified by Microsoft as “Important, Spoofing”, which Vegeris describes as “one of the lowest in-scope ratings possible”.

However, the scope of potential attacks and the opportunity to access various different areas of the infected network means it demands a much higher threat rating, claims Vegeris.

Microsoft Teams vulnerability

This particular Microsoft Teams vulnerability, according to the researcher, could open the door to “zero click, wormable, cross-platform remote code execution.”

Broken down for the layman, this means the attack does not hinge on a mistake on the part of the victim (such as clicking on a dangerous link), infection can pass between one computer to the next  and the exploit allows the hacker to run malicious code on infected machines at will.

As Vegeris describes, an attacker could send or edit a message that looks identical to any other. When the relevant chat log is opened, the code is launched on the victim’s machine. 

“That’s it. There is no further interaction from the victim. Now your company’s internal network, personal documents, O365 documents/mail/notes, secret chats are fully compromised,” wrote Vegeris.

“Think about it. One message, one channel, no interaction. Everyone gets exploited.”

According to the report, the exploit could also have allowed attackers to steal Office 365 SSO tokens (giving them access to corporate email logs, documents etc.), escalate their administrative privileges and gain access to the cameras and microphones of infected devices.

Further, if an organization invited guest entities into their Teams network (often clients or customers), infection could also in theory hop between businesses.

“At least now we have a new joke between colleagues - whenever we get a remote code execution bug, we call it ‘Important, Spoofing’. Thanks Microsoft,” joked Vegeris.

Microsoft did not immediately respond to our request for comment.


A Microsoft spokesperson has since provided the following statement, though offered no further comment on whether the severity of the bug was originally understated:

"We mitigated the issue with an update in October, which has automatically deployed and protected customers."

Via The Register

Joel Khalili
News and Features Editor

Joel Khalili is the News and Features Editor at TechRadar Pro, covering cybersecurity, data privacy, cloud, AI, blockchain, internet infrastructure, 5G, data storage and computing. He's responsible for curating our news content, as well as commissioning and producing features on the technologies that are transforming the way the world does business.