A bit disturbing:
Security analysts have found a severe security vulnerability in the desktop app for Microsoft Teams that gives threat actors access to authentication tokens and accounts with multi-factor authentication (MFA) turned on.
Microsoft Teams is a communication platform, included in the 365 product family, used by more than 270 million people for exchanging text messages, videoconferencing, and storing files.
Its a field day for the Hacking community!!
Interesting. While Teams predated the pandemic, I suspect there was a lot of pressure to pump out new releases during Covid, and maybe some steps were skipped.
As to Microsoft's "no big deal" response. While it is true, that a pre-requisite compromise would have to happen (an attacker get access to local files), this has been the problem that has plagued Microsoft for seemingly decades. Their model is all about integration - between applications but also between those applications and the OS. While it can work, and is working much better today than years ago, it is still a bit of Tootsie-Pop design where if an attacker can crack the thin, hard shell, it's all soft and gooey inside.
Would be helpful if the reports included the CVE number and the CVSS score. A few quick searches yielded neither. Based on my reading of the article, I would classify it as "session hijacking requiring local access" and estimate the CVSS at about 6.1 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L/E:U/RL:W/RC:C).
The vendor response does have a dismissive tone that is probably playing into the hype, but knowing that "Teams 2.0" will not be using Electron, I do see where they are headed. Now if we could just get a release date for Teams for Business 2.0.
The technique described does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network. We appreciate Vectra Protect’s partnership in identifying and responsibly disclosing this issue and will consider addressing in a future product release.