Microsoft Teams and it’s security

[German]A small view on Microsoft teams, which is offered to enterprise customers on a broad base. But what's about the security of this product. Just a glimpse behind the curtain.


Advertising

Microsoft Teams is a software or platform that combines chat, meetings, notes and attachments. The underlying service is integrated into Office 365 and teams are even planned to replace Skype for Business. I myself don't focus much on teams here in the blog, since I don't use this software. And on the other hand, I gain the impression, that I should take care to promote teams with blog posts. For a long time, I couldn't get it right – but in the last days and weeks, some puzzle pieces have fallen into the picture.

The installer was (at least) a mess

Within my German article Teams: Erfolgreich, aber ein Sicherheits-GAU I had addressed two issues with Microsoft Teams. Its updater could be used to download malware. And Stefan Kanthak had pointed out to me that the Teams-Installer was vulnerable to DLL hijacking.

I just made a test today: The installer seems not to have a DLL hijacking vulnerability. But that setup thing did not ask anything, after I launched that software. Microsoft Teams has been installed from scratch within my Windows 7 user profile. The uninstall instructions mentioned at this Microsoft site, are useless for Windows 7. Luckily I found a Teams entry within the Uninstall Programs list in control panel.

Electron-Framework und old Chromium

But there is a 2nd thing I stumbled uppon last October. Security researcher Kevin Beaumont have had a closer look at Microsoft teams and posted this tweet.


Advertising

He obviously found an 18 month old Chromium browser version used by Microsoft Teams. The background is that the product teams (like Yammer) are based on the Electron 3 framework. It enables the execution of cross-platform desktop applications using the Chromium web browser and the Node.js framework. That is the curse of software tools, where you depends on that, what the framework brings on the system.

Similar articles:
Office 365 ProPlus: ODT rolls out always MS Teams
Microsoft upgrades Skype for Business to Teams


Advertising

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).