There is a serious loophole in Mac security, and it is related to macros. The issue affects the Mac version of Microsoft Office.
According to the official advisory, “the Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”
The problem arises when Office for the Mac has been configured to use the “Disable all macros without notification” feature. If this is the case, then XLM macros in SYLK files are executed without prompting the user. The issue has been confirmed on fully-patched Office 2016 and Office 2019 for Mac systems.
How can the issue be exploited against Mac users?
“By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel,” the advisory explained.
The issue was first discovered by Outflank security researchers in October last year, and it was reported to Microsoft a year ago. Shortly said, the bug affects Microsoft Excel’s support for a legacy type of macros known as XLM or Excel 4.0 macros.
It is noteworthy that Microsoft has formerly encouraged users of XLM macros to migrate them to the latest variation of Microsoft Visual Basic for Applications (VBA), but still sustains the XLM format.
The problem is that Microsoft Office 2011 for Mac does not properly warn users of the presence of XLM macros within SYLK files.
Currently Microsoft has not received an official patch for the issue in Office for Mac. An option for affected users is to switch from “Disable all macros without notification” to “Disable all macros with notification”.
Another workaround given by CERT is to consider blocking Sylk (.SLK) file attachments at the email gateway. However, this may not do the work, as Outflank researchers say that a boobytrapped .SLK file can be renamed to .CSV.
More information is available in the official advisory.