The ESET Company warns of a vulnerability that allows Microsoft Teams to download and run malicious packages without the need for malicious packages special privileges.
The Microsoft Teams platform presents a vulnerability that allows a malicious actor to insert malicious code into the application and give the operator the ability to execute files on the system arbitrarily. ESET Latin America, a leading proactive threat detection company, analyzes the bug
Microsoft Teams is a communication platform that unifies multiple functionalities (chat, video conferencing, file storage and also the ability to use them collaboratively, among others) it was created for corporate and/or educational use, because it allows to assemble communities or working groups that can join through a URL or through an invitation.
The flaw affecting the platform lies in Squirrel, an open source project that is used for desktop application installation and upgrade processes and in turn uses the NuGet open source package manager to manage Files. In this sense, various security researchers revealed that by executing an update command an attacker can take advantage of the failure to execute code arbitrarily, BleepingComputer explains.
Other applications that are affected by the same reason are GitHub, WhatsApp and UiPath, although in these cases it can only exploit the bug to download a payload. In the case of Microsoft Teams, adding a payload to your folder automatically executes it using any of the Update.exe or squirrel.exe commands.
The fault has not yet been fixed. According to researcher Richard Reegun, who was one of those who discovered the vulnerability, it was reported to Microsoft and the company will incorporate the patch for the next release.