In a blog post written by Andrey Belenko, Microsoft said it has recently announced a new version of the Microsoft Teams desktop app. The update is an overview of architectural changes in the new Teams, said the software giant.
According to the firm, the new update comes with better security improvements by switching from Electron to WebView2 and deployment of safer MSIX packages instead of bespoke solutions. Now, let’s take a look at the new Microsoft Team update.
Deploying Safer MSIX Packages
According to the software giant, the new Teams no longer rely on bespoke solutions for deployment and updates. Instead, it now leverages MSIX packages and App Installer which are both natively supported by Windows.
With the new MSIX packages, Microsoft’s Teams has now greatly reduced risk surface and maintenance costs compared to using a custom installer and updater. At the same time, the firm added that it is also moving away from installing Teams in the user profile.
Installing in the user profile is straightforward and does not call for higher rights, but it also facilitates routine post-exploitation tasks like persistence maintenance. The new Teams will be installed in a privileged location where non-administrator users cannot tamper with its executable files because it depends on App Installer for installation.
Switching from Electron to WebView2
One of the most significant architectural changes in the new Teams is the move from Electron to Edge WebView2. The Chromium browser engine serves as the foundation for both Electron and WebView2, but moving to WebView2 gives the new Teams access to several efficiencies.
Andrey Belenko noted that the new Teams on Windows leverages WebView2 in an evergreen distribution model. This means WebView2 runtime updates with the Edge browser and independently of the Teams client, and it can be shared across multiple embedding applications.
Additionally, the evergreen distribution model also comes with the security benefit of providing the latest and most secure runtime for embedding apps. Microsoft said switching to evergreen WebView2 runtime enables them to reduce the workload associated with backporting and to deliver security fixes to customers faster.
The New Microsoft Team Improvements
All in all, Microsoft added that the new Team has been greatly improved with better security on the web through the Trusted Types. These improvements can be summarised as follows:
Modernizing web framework stack: Here the new Team is rebuilt using React. Microsoft said it opted for React because it makes it easier for engineers to write more secure code.
The Content Security Policy (CSP) has also been improved to allow for more granular adjustments, resulting in a tighter and more finely tuned policy.
And finally, the firm added that it has invested significantly in mitigating cross-site scripting attacks and deployed Trusted Types. Trusted Types is a browser-enforced technology designed to prevent client-side XSS, such as ones resulting from writing non-sanitized HTML markup into DOM.
When Trusted Types is enabled, the browser will guard properties and functions that may result in DOM modification against being assigned or called with inputs not processed by an approved sanitization function.