Microsoft has recently announced a new version of the Microsoft Teams desktop app. For an overview of architectural changes in the new Teams, read “Advantages of the new architecture”. In this blog post, we will describe some of the security improvements this new Teams version brings.
Safer deployment with MSIX
The new Teams no longer relies on bespoke solutions for deployment and updates. Instead, it now leverages MSIX packages and App Installer that are both natively supported by Windows. This greatly reduces risk surface and maintenance cost compared to using a custom installer and updater.
We are also moving away from installing Teams in the user profile. While installing in the user profile is convenient and does not require elevated privileges, it also makes common post-exploitation activities, such as maintaining persistence, easier. The new Teams relies on App Installer for installations and will install in a privileged location, where non-administrator users cannot tamper with its executable files.
Faster updates with Edge WebView2 runtime
One of the most significant architectural changes in the new Teams is the move from Electron to Edge WebView2. Both Electron and WebView2 are ultimately based on the same Chromium browser engine, but switching to WebView2 allows the new Teams to benefit from various efficiencies.
For example, the new Teams on Windows leverages WebView2 in evergreen distribution model. This means WebView2 runtime updates with Edge browser and independently of the Teams client, and it can be shared across multiple embedding applications (for example, Teams and Outlook). This saves storage space on the user’s device by sharing WebView2 instance between multiple embedding applications.
The evergreen distribution model also comes with security benefit of providing the latest and most secure runtime for embedding apps. Even though we do have a program in place to ensure classic Teams clients receive applicable security fixes from Chromium, switching to evergreen WebView2 runtime enables us to reduce workload associated with backporting and to deliver security fixes to our customers faster.
Less bloated application
Another effect of switching from Electron to WebView2 is that the main Teams executable is slimmer: less than 12 megabytes for the new Teams versus over 134 megabytes for classic Teams.
This is simply because classic Teams is serviced by an Electron executable, including most of Chromium, Node.js, and all of Electron’s logic. Perhaps surprisingly, it includes very little application logic – most of which is delivered alongside the executable as JavaScript and DLL files. In other words, there’s a bit of overhead and extra risk surface.
In contrast, the new Teams’ main executable primarily contains application logic and required infrastructure. It includes neither Chromium nor Node.js. Absence of V8 (the JavaScript engine used by both Node.js and Chromium) or any other compilers/interpreters in particular gives us more freedom to deploy more process and memory safety mitigations in the future.
Better security on the web with Trusted Types
Let's now talk about improvements we have made on the web. The new Teams remains a hybrid client where the client app (a “shell”) loads and displays remote content from a website. With such hybrid architecture, the security of the web layer is an inseparable part of the overall client security, and it, too, has received some major improvements in the new Teams.
- We have a modernized web framework stack. The new Teams is rebuilt using React. We opted for React because it makes it is easier for engineers to write more secure code.
- We have improved Content Security Policy (CSP) infrastructure to allow for more granular adjustments, resulting in a tighter and more finely tuned policy.
- We have invested significantly in mitigating cross-site scripting attacks (XSS) and deployed Trusted Types. Trusted Types is a browser-enforced technology designed to prevent client-side XSS, such as ones resulting from writing non-sanitized HTML markup into DOM. When Trusted Types is enabled, the browser will guard properties and functions that may result in DOM modification (so-called “sinks”) against being assigned or called with inputs not processed by an approved sanitization function. We believe Trusted Types adoption will meaningfully improve resistance of the new Teams against XSS.
This is just the beginning
Security is a journey, and your feedback is critical for our success. Try the new Teams and let us know your thoughts! If you find a security vulnerability in Teams or any other Microsoft product, please report it to the MSRC Researcher Portal. We are running a security bug bounty program, so the folks who report may be eligible for a reward.
