[German]A small view on Microsoft teams, which is offered to enterprise customers on a broad base. But what’s about the security of this product. Just a glimpse behind the curtain.
Microsoft Teams is a software or platform that combines chat, meetings, notes and attachments. The underlying service is integrated into Office 365 and teams are even planned to replace Skype for Business. I myself don’t focus much on teams here in the blog, since I don’t use this software. And on the other hand, I gain the impression, that I should take care to promote teams with blog posts. For a long time, I couldn’t get it right – but in the last days and weeks, some puzzle pieces have fallen into the picture.
The installer was (at least) a mess
Within my German article Teams: Erfolgreich, aber ein Sicherheits-GAU I had addressed two issues with Microsoft Teams. Its updater could be used to download malware. And Stefan Kanthak had pointed out to me that the Teams-Installer was vulnerable to DLL hijacking.
I just made a test today: The installer seems not to have a DLL hijacking vulnerability. But that setup thing did not ask anything, after I launched that software. Microsoft Teams has been installed from scratch within my Windows 7 user profile. The uninstall instructions mentioned at this Microsoft site, are useless for Windows 7. Luckily I found a Teams entry within the Uninstall Programs list in control panel.
Electron-Framework und old Chromium
But there is a 2nd thing I stumbled uppon last October. Security researcher Kevin Beaumont have had a closer look at Microsoft teams and posted this tweet.
Has anybody ever looked at Microsoft Teams security? It embeds Chromium by the looks of it, the Chrome user agent is v66 which is 18 months old.
— Kevin Beaumont (@GossiTheDog) October 28, 2019
He obviously found an 18 month old Chromium browser version used by Microsoft Teams. The background is that the product teams (like Yammer) are based on the Electron 3 framework. It enables the execution of cross-platform desktop applications using the Chromium web browser and the Node.js framework. That is the curse of software tools, where you depends on that, what the framework brings on the system.