Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Microsoft Office for Mac does not properly disable XLM macros, thus exposing users to code execution attacks, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warns.

Microsoft Office for Mac does not properly disable XLM macros, thus exposing users to code execution attacks, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warns.

The issue is that the “Disable all macros without notification” option in Microsoft Office for Mac enables XLM macros without displaying a prompt, CERT/CC explains in a new vulnerability note.

The XLM macro format was available in Microsoft Excel versions up to 4.0, when it was replaced by the VBA macros. Although VBA macros are more common with modern Office systems, XLM macros continue to be supported.

XLM macros can be incorporated into SYLK (SYmbolic LinK) files (extension SLK), which poses a problem because the macros in the SYLK format do not open in Protected View. Thus, users are not protected when opening a document that contains such a macro.

“This means that users may be a single click away from arbitrary code execution via a document that originated from the internet,” CERT/CC says.

Office 2011 for Mac is prone to this vulnerability, as it fails to warn users before opening SYLK files containing XLM macros.

The issue was initially detailed in October last year and new research was published in late October 2019. This prompted an advisory from CERT/CC, which says that fully-patched Office 2016 and Office 2019 for Mac systems are vulnerable as well.

“If Office for the Mac has been configured to use the ‘Disable all macros without notification’ feature, XLM macros in SYLK files are executed without prompting the user,” the CERT/CC vulnerability note reads.

A remote, unauthenticated attacker able to entice the user into opening specially-crafted Microsoft Excel content on a Mac where the “Disable all macros without notification” option is enabled in Office may be able to execute arbitrary code with the privileges of the user.

Proposed workarounds include blocking SYLK files at email and web gateways and enabling the “Disable all macros with notification” option which, although less secure for modern VBA macros, does not allow for arbitrary code execution without a prompt when XLM macros in SYLK files are used.

UPDATE. Microsoft has provided SecurityWeek the following statement:

“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Related: Macro Malware Comes to macOS

Related: Microsoft Patches Zero-Day Vulnerability in Office

Related: Asruex Malware Exploits Old Vulnerabilities to Infect PDF, Word Docs

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.