We know that no software is perfect and there are nuances and security vulnerabilities to each one of them. But we know that some software apps are more vulnerable than others. One of them seems to be the Microsoft Teams app which is a Slack-replacement and a team management app. It has been found out that Microsoft Teams desktop app lets you download and execute arbitrary files on the system.
Since this is possible, you can download a malicious package and run it on the system which can damage or even crash the entire system. Now, the same issue is there on WhatsApp, Github and UiPath too but they are able to download payload only and not the other type of files such as malware.
All of the applications mentioned above use an open source Squirrel project to manage installation and routine updates. The Squirrel project uses NuGet package manager to create files which are necessary for the applications.
Now, Security Researchers have discovered that you can use the ‘update’ command for a vulnerable application to execute an arbitrary binary in the context of the end user. This can be done for ‘squirrel.exe’ as well.
Since ‘squirrel.exe’ is part of the Microsoft Teams package, it is vulnerable to this type of attacks. A reverse engineer named Reegun Richard had already tested this issue on June 4 and he has already reported to Microsoft about this issue. Also, Microsoft has told the researcher that a fix will come in a future release of Microsoft Teams.
Since Microsoft Teams is used by enterprise users, we believe that the security vulnerability inside it should be fixed much sooner than regular users. At the moment, we know that Slack is leading this segment in the market but it should not be long before Microsoft Teams gains traction along with other applications such as Hangouts Meet and Chat.