[German]Another collective article on Microsoft Teams, which is widely used, but has a somewhat idiosyncratic implementation and above all is teeming with bugs and attracts negative attention in this regard every now and then. Today on offer: Since March 2021, Microsoft has been aware of four vulnerabilities in Teams that allow phishing via the link preview. And on Android, it can happen that Microsoft Teams blocks emergency calls. Here's a quick overview.
Advertising
Phishing vulnerabilities in Microsoft Teams
Fabian Bräunlein, founder of German security firm Positive Security, encountered four vulnerabilities in Microsoft Teams back in the spring of 2021, which he reported to the Microsoft Security Response Center (MSRC) on March 10, 2021, according to this blog post.
The whole thing came to attention after Bräunlein stumbled across a code execution vulnerability in Code Execution-Schwachstelle in Windows 10 via IE11/Edge Legacy and MS Teams. Bräunlein started looking for a way to bypass Teams/Electron's same-origin policy. The idea was to go from JavaScript to executing arbitrary code by sending commands to a locally launched Node.js debug web socket server. By the end of the day, Fabian Bräunlein and his team had encountered the four vulnerabilities listed below.
- 1 – Server-Side Request Forgery
- 2 – URL preview spoofing
- 3 – IP address leak
- 4 – Message of Death (DoS)
The bugs are explained in detail in the linked blog post by the security researcher. The URL preview spoofing bug (number 2 in the list above) can be used by attackers for phishing attacks or to cloak malicious links. However, Microsoft's MSRC team does not see any problem in this bug and replied:
MSRC has investigated this issue and concluded that this is not an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL, which would be an indication that it is not the one the user was expecting.
On March 25, 2021, the ticket in question was closed, Microsoft will not close this bug in the current version, they said. In the meantime we have the end of 2021 and the bug is still unpatched. Therefore, Fabian Bräunlein, who is not really happy because of the bug bounty for the Windows 10 vulnerability mentioned above (the screw-up by Microsoft is touched on here), has published the blog post on December 22, 2021 then – I came across the issue via this article.
Advertising
Teams blocked emergency calls in Android
In mid-December 2021, it became known through various reports (I didn't have this on the blog, as I located it to emergency calls in the US) that users who had Microsoft Teams installed on Android may not be able to place emergency calls to 911. I'll link to this post from PC Magazine (English). There the boundary conditions and implications are explained. Microsoft has since released version 1416/1.0.0.2021194504 of the Teams Android app, which does not require uninstalling and then reinstalling the app to fix the problem.
