By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Attackers can use genuine binaries from Microsoft Teams to execute a malicious payload using a mock installation folder for the collaboration software. The problem affects most Windows desktop apps that use the Squirrel installation and update framework, which uses NuGet packages. A list of impacted products, as tested by the security researcher that made the discovery, includes WhatsApp, Grammarly, GitHub, Slack, and Discord. Reverse engineer Reegun Richard found that he could create a fake Microsoft Teams package and use a signed binary to execute anything present in a specific location. One notable aspect of the experiment is that no resources are required on the target system other than the minimum package created by the attacker. The researcher found that the genuine 'Update.exe' file and two folders - 'current' and 'packages,' all being part of a normal Microsoft Teams installation, are sufficient to launch on the system malware that inherits the trust of the signed executable, allowing the defeat of some defense mechanisms. It appears that the 'Update' executable blindly deploys anything that is present in the 'current' folder. The 'packages' location needs to have a 'RELEASES' file, albeit it does not have to be valid. "It just needs the format 'SHA1 filename size'. Microsoft is aware of the problem but decided not to address it. The researcher says that the reason the company gave him was that the glitch "did not meet the bar of security issue." The researcher explains that not all NuGet packages are vulnerable but all apps relying on the Squirrel one-click installer are. More details can be found on OUR FORUM.