Microsoft won't fix these serious Teams security flaws — what you need to know

Share

• Copy link
• Facebook
• X
• Reddit
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

Remember the Microsoft Teams flaw from a couple of weeks ago that didn't let Google Pixel users call 911? It turns out there are at least four security flaws in Microsoft's business-collaboration service, including one that could send you to malware or phishing websites, and Microsoft has fixed only one of them.

Russian information-security firm Positive Technologies chronicled this saga in a blog post Tuesday (Dec. 22), explaining that two of the new vulnerabilities are specific to Android while the two others apply to all operating systems. 

Poisoned image previews

The worst vulnerability lets an attacker swap in a malicious URL, or web link, for the legitimate one when Teams displays a thumbnail preview image. This works in Windows, Mac, iOS and Linux as well as Android.

Using a common network-traffic-intercept tool, Positive Technologies' Fabian Bräunlein made a video clip demonstrating how he substituted a Google link into what appeared to be a Bing link — two domains that would not normally have anything to do with each other.

"When clicking the preview, a different link is opened than what was expected by the user," Bräunlein wrote in the blog post. "This can be used either for improved phishing attacks, or to hide malicious links."

Microsoft was told of all these flaws by Positive Technologies in March of 2021, but the operating-system maker responded that this particular vulnerability "does not pose an immediate threat that requires urgent attention because once the user clicks on the URL, they would have to go to that malicious URL which would be a giveaway that it's not the one the user was expecting." 

Apparently Microsoft's Teams team has never seen a really convincing phishing website.

Spilling the beans

Two of the other flaws reveal information about the other parties on a Team call that should be kept private. 

The first, which Positive Technologies says Microsoft has now patched, lets an attacker send a "specially crafted link preview" to get another person's Internet Protocol (IP) address if the other person views a Teams chat from an Android device. 

That information by itself is not terribly malicious, but having the other party's IP address could let the attacker mount attacks on that user by other means. This flaw was quietly patched even after Microsoft dismissed it as another issue that "does not pose an immediate threat."

The second is more of a problem for Microsoft itself. Bräunlein found that with some clever coding, which he's not revealing, he could get sensitive information about the Microsoft server hosting a Teams chat. 

According to Bräunlein, this "can be used for internal port scanning and sending HTTP-based exploits to the discovered web services," but Microsoft declined to fix it and gave Positive Technologies permission to discuss it publicly.

Start, crash, repeat

The last flaw is just annoying. It lets an attacker (or maybe just a prankster) crash the Teams Android app by sending an invalid image-preview link, or what Bräunlein entertainingly calls the "Message of Death." All you need to do is put something that's not a legitimate weblink in the space where one should be.

"The app keeps crashing when trying to open the chat/channel with the malicious message, which makes the chat/channel unusable for Android users," Bräunlein wrote.

Microsoft told Positive Technologies "that this issue does not require immediate security service" and that a fix "will be considered in a future version" of Teams.

Asked about the Positive Technologies report by Threatpost, Microsoft said that "we've investigated all four reports and have concluded that they do not pose immediate threats requiring a security fix."

"We've received similar reports in the past and have made several recent improvements to the handling of data and security in general," Microsoft added.

The moral of this story is: Maybe don't run Teams on Android, and be very careful about which image links you click in Teams on all platforms. 

You'll also want to run some of the best antivirus software for Windows, Mac, Android and even iOS (where it's just security software) to make sure malicious links are blocked systemwide.