The update mechanism as it is currently implemented in Microsoft Teams desktop app allows downloading and executing arbitrary files on the system.
The same issue affects GitHub, WhatApp, and UiPath software for desktop computers but it can be used only to download a payload.
These applications rely on the open source
Squirrel project to manage installation and updating routines, which uses
NuGet package manager to create the necessary files.
Multiple security researchers discovered that using the 'update' command for a vulnerable application it is possible to execute an arbitrary binary in the context of the current user. The same goes for 'squirrel.exe.' With Microsoft Teams, a payload is added to its folder and executed automatically using either of the following commands:
... ...