Microsoft won't fix these serious Teams security Flaws — What you Need to Know

Microsoft won't fix these serious Teams security Flaws — What you Need to Know

Remember the Microsoft Teams flaw a few weeks ago that prevented Google Pixel users from calling 911? Microsoft's business collaboration service was found to have at least four security flaws, including one that could lead to malware and phishing sites, and Microsoft has fixed only one of them.

Russian information security firm Positive Technologies spelled out the saga in a blog post on Tuesday (December 22), explaining that two of the new vulnerabilities are specific to Android, while the other two apply to all operating systems.

The worst vulnerability is that when Teams displays thumbnail preview images, an attacker can replace the malicious URL, or web link, with a legitimate one. This works on Windows, Mac, iOS, and Linux as well as Android.

Fabian Bräunlein of Positive Technologies created a video clip showing how to make a Google link look like a Bing link using a common network traffic intercept tool.

"Clicking on the preview opens a different link than what the user was expecting," Bräunlein wrote in a blog post.

"This could be used to hide phishing attacks or malicious links.

Microsoft was informed of all of these flaws by Positive Technologies in March 2021, but the operating system maker said that this particular vulnerability "requires users to click on a URL to be taken to that malicious . does not pose enough of a threat to warrant immediate attention," the company responded.

Apparently, Microsoft's Teams team has never seen a truly convincing phishing site.

Two of the other flaws reveal information about the other party to the Team call that should be kept private.

The first flaw, which Positive Technologies states Microsoft has now patched, allows an attacker to send a "specially crafted link preview" when the other party views a Teams chat from an Android device to Internet Protocol (IP) address of the other party.

While this information itself is not that malicious, knowing the other party's IP address allows the attacker to attack that user in other ways. The flaw was quietly patched, even after Microsoft dismissed it as another issue that "does not pose an immediate threat."

The second is a larger problem for Microsoft itself; Bräunlein discovered that through some clever coding, it was possible to obtain sensitive information about the Microsoft server hosting Teams chats.

According to Bräunlein, this "can be used to scan internal ports or send HTTP-based exploits to discovered web services."

The last flaw is annoying anyway. It allows an attacker (or just a prankster) to crash the Teams Android app by sending an invalid image preview link, or what Bräunlein amusingly calls a "death message." All that is required is to put a non-legitimate web link where a legitimate web link should be.

"Attempting to open a chat/channel with a malicious message will continue to crash the app, making the chat/channel unusable for Android users," Bräunlein wrote.

Microsoft told Positive Technologies that "this issue does not require immediate security services" and that it would "consider a fix in a future version" of Teams.29]

Threatpost reported that Positive Asked about the Technologies report, Microsoft said, "We have investigated all four reports and have concluded that they do not pose an immediate threat requiring a security fix."

Microsoft also stated that "we are working on a fix for this issue.

"We have received similar reports in the past and have recently made several improvements to our data handling and security in general," Microsoft added.

The moral of the story is this: do not run Teams on Android, and be very careful about the image links you click in Teams on all platforms.

We also recommend running the best anti-virus software for Windows, Mac, Android, and even iOS (just security software) to ensure that malicious links are blocked system-wide.

.

Categories