Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Security Setting Ironically Increases Risks for Office for Mac Users

Excel's handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon's CERT/CC says.

A Microsoft security setting designed to keep users safe from Internet-borne threats has actually made users running the latest versions of Microsoft Office for Mac more vulnerable to remote attacks.

Carnegie Mellon University's CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format.

The bug results in XLM macros being enabled to run without prompting on a vulnerable system when a user has configured Excel to do exactly the opposite — that is, to disable all macros without notification.

In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.

By convincing a user to open specially crafted Microsoft Excel content on a Mac that has "Disable all macros without notification" enabled, a remote attacker can gain the same level of access to the system that the legitimate user has, CERT/CC said in its vulnerability note.

"Attackers can do anything that they want by exploiting this issue," says Will Dormann, senior vulnerability analyst at CERT/CC. "They could install a virus, steal private files, or install ransomware. The sky's the limit."

In a statement, a Microsoft spokeswoman said Microsoft was committed to investigating reported security incidents. "We will provide updates for impacted devices as soon as possible."

The problem lies in how Microsoft Excel handles XLM content in SYLK (SYmbolic LinK) files, Dormann says.

XLM is a macro format that used to be available in Excel versions up to and including Excel 4.0. Though Excel versions since then use VBA macros, Microsoft has continued to support XLM macros in later Excel releases, including those available with the latest Office versions for Mac.

SYLK itself is a file format that has been around since the 1980s for transferring data between the spreadsheet, database, and other applications. Though it is barely used these days, SYLK files continue to be supported in recent Office and Excel versions.

Macros in the SYLK format are problematic because Microsoft Office does not open them up in in Protected View — a mechanism for protecting against files downloaded from unsafe locations, CERT/CC said. As a result, SYLK files gives attackers an opening to try and sneak in malicious content on a device without generating any of the usual Microsoft security alerts.

Researchers from IT security firm Outflank last year showed how attackers could embed malicious XLM content in a SYLK file and get it to auto-execute in Office 2011 for Mac without generating any user alert or macro prompt, Dormann says.

At that time, Microsoft had noted that Excel for Mac 2011 was not supported anymore and thus not eligible for security updates, Dormann says. The company had pointed to Mac Excel 2016 and Mac Excel 2019 as responding correctly in the same situation, Dormann says.

But the reality is that while Excel 2016 and 2019 do indeed prompt before running XLM macros in SYLK files, they do so only with the default security setting of "Disable all macros with notification," he says.

If a user were to choose the stronger "Disable all macros without notification" option, the XLM macro would do the opposite. It would run without generating any macro prompt and not just with Office 2011 for Mac, but with Office 2016 and Office 2019 for Mac as well, Dormann notes.

"It's clearly a mistake," he says. "Microsoft can fix the logic error in the handling of the macro setting in Excel for Mac, but this will require them to both fix the software and also deploy the fixed version."

Until that point, the best option for Mac users is to use "Disable all macros with notification" setting instead. "The trade-off with using this setting is that it increases the risk for modern (VBA) macros, but will prevent automatic exploitation with SYLK XLM macros," Dormann says.

Ever since Outflank published its technique of using XLM macros in SYLK files, attackers have been exploiting the issue in the wild, Dormann says. What's new with CERT/CC's advisory is that a security setting "that should protect against exploitation of the technique ironically makes Mac systems more vulnerable," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hachprakash
50%
50%
hachprakash,
User Rank: Apprentice
11/6/2019 | 1:51:40 AM
online training website
Thanks,Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...