CYBER NEWS

Microsoft Office for Mac Can’t Disable XLM Macros

There is a serious loophole in Mac security, and it is related to macros. The issue affects the Mac version of Microsoft Office.




According to the official advisory, “the Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”

The problem arises when Office for the Mac has been configured to use the “Disable all macros without notification” feature. If this is the case, then XLM macros in SYLK files are executed without prompting the user. The issue has been confirmed on fully-patched Office 2016 and Office 2019 for Mac systems.

How can the issue be exploited against Mac users?

By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel,” the advisory explained.

The issue was first discovered by Outflank security researchers in October last year, and it was reported to Microsoft a year ago. Shortly said, the bug affects Microsoft Excel’s support for a legacy type of macros known as XLM or Excel 4.0 macros.

Related: macOS Catalina: New Security and Privacy Features

It is noteworthy that Microsoft has formerly encouraged users of XLM macros to migrate them to the latest variation of Microsoft Visual Basic for Applications (VBA), but still sustains the XLM format.

The problem is that Microsoft Office 2011 for Mac does not properly warn users of the presence of XLM macros within SYLK files.

Currently Microsoft has not received an official patch for the issue in Office for Mac. An option for affected users is to switch from “Disable all macros without notification” to “Disable all macros with notification”.

Another workaround given by CERT is to consider blocking Sylk (.SLK) file attachments at the email gateway. However, this may not do the work, as Outflank researchers say that a boobytrapped .SLK file can be renamed to .CSV.

More information is available in the official advisory.

Milena Dimitrova

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the beginning. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:
Twitter

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...