diff --git a/changes/15538-ms-teams b/changes/15538-ms-teams new file mode 100644 index 0000000000..da2eac7ff5 --- /dev/null +++ b/changes/15538-ms-teams @@ -0,0 +1 @@ +- Fixes 2 vulnerability false positives on Microsoft Teams on MacOS. \ No newline at end of file diff --git a/server/service/osquery_utils/queries.go b/server/service/osquery_utils/queries.go index 966392f2ca..3292b08875 100644 --- a/server/service/osquery_utils/queries.go +++ b/server/service/osquery_utils/queries.go @@ -1307,10 +1307,16 @@ func sanitizeSoftware(h *fleet.Host, s *fleet.Software, logger log.Logger) { // "Microsoft Teams" on macOS defines the `bundle_short_version` (CFBundleShortVersionString) in a different // unexpected version format. Thus here we transform the version string to the expected format // (see https://learn.microsoft.com/en-us/officeupdates/teams-app-versioning). - // E.g. `bundle_short_version` comes with `1.00.622155` and instead it should be transformed to `1.6.00.22155`. + // E.g. `bundle_short_version` comes with `1.00.622155` and instead it should be transformed + // to `1.6.00.22155` || s.Name == "Microsoft Teams (work or school).app". + + // Note: in December 2023, Microsoft released "New Teams" for MacOS. This new version of + // Teams uses a completely different versioning scheme, which is documented at the URL + // above. Existing versions of Teams on MacOS were renamed to "Microsoft Teams Classic" and still use + // the same versioning scheme discussed above. { checkSoftware: func(h *fleet.Host, s *fleet.Software) bool { - return h.Platform == "darwin" && s.Name == "Microsoft Teams.app" + return h.Platform == "darwin" && (s.Name == "Microsoft Teams.app" || s.Name == "Microsoft Teams classic.app") }, mutateSoftware: func(s *fleet.Software) { if matches := macOSMSTeamsVersion.FindStringSubmatch(s.Version); len(matches) > 0 { diff --git a/server/service/osquery_utils/queries_test.go b/server/service/osquery_utils/queries_test.go index a22bf3311b..0f0695959e 100644 --- a/server/service/osquery_utils/queries_test.go +++ b/server/service/osquery_utils/queries_test.go @@ -1650,6 +1650,20 @@ func TestSanitizeSoftware(t *testing.T) { Version: "2400.1.104", }, }, + { + name: "MS Teams classic on MacOS", + h: &fleet.Host{ + Platform: "darwin", + }, + s: &fleet.Software{ + Name: "Microsoft Teams classic.app", + Version: "1.00.634263", + }, + sanitized: &fleet.Software{ + Name: "Microsoft Teams classic.app", + Version: "1.6.00.34263", + }, + }, } { t.Run(tc.name, func(t *testing.T) { sanitizeSoftware(tc.h, tc.s, log.NewNopLogger())