Security Experts:

Microsoft Office for Mac Users Exposed to Macro-Based Attacks

Microsoft Office for Mac does not properly disable XLM macros, thus exposing users to code execution attacks, the CERT Coordination Center (CERT/CC) at Carnegie Mellon University warns.

The issue is that the “Disable all macros without notification” option in Microsoft Office for Mac enables XLM macros without displaying a prompt, CERT/CC explains in a new vulnerability note.

The XLM macro format was available in Microsoft Excel versions up to 4.0, when it was replaced by the VBA macros. Although VBA macros are more common with modern Office systems, XLM macros continue to be supported.

XLM macros can be incorporated into SYLK (SYmbolic LinK) files (extension SLK), which poses a problem because the macros in the SYLK format do not open in Protected View. Thus, users are not protected when opening a document that contains such a macro.

“This means that users may be a single click away from arbitrary code execution via a document that originated from the internet,” CERT/CC says.

Office 2011 for Mac is prone to this vulnerability, as it fails to warn users before opening SYLK files containing XLM macros.

The issue was initially detailed in October last year and new research was published in late October 2019. This prompted an advisory from CERT/CC, which says that fully-patched Office 2016 and Office 2019 for Mac systems are vulnerable as well.

“If Office for the Mac has been configured to use the ‘Disable all macros without notification’ feature, XLM macros in SYLK files are executed without prompting the user,” the CERT/CC vulnerability note reads.

A remote, unauthenticated attacker able to entice the user into opening specially-crafted Microsoft Excel content on a Mac where the "Disable all macros without notification" option is enabled in Office may be able to execute arbitrary code with the privileges of the user.

Proposed workarounds include blocking SYLK files at email and web gateways and enabling the "Disable all macros with notification" option which, although less secure for modern VBA macros, does not allow for arbitrary code execution without a prompt when XLM macros in SYLK files are used.

UPDATE. Microsoft has provided SecurityWeek the following statement:

“Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible.”

Related: Macro Malware Comes to macOS

Related: Microsoft Patches Zero-Day Vulnerability in Office

Related: Asruex Malware Exploits Old Vulnerabilities to Infect PDF, Word Docs

view counter