Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Security Setting Ironically Increases Risks for Office for Mac Users

Excel's handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon's CERT/CC says.

A Microsoft security setting designed to keep users safe from Internet-borne threats has actually made users running the latest versions of Microsoft Office for Mac more vulnerable to remote attacks.

Carnegie Mellon University's CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format.

The bug results in XLM macros being enabled to run without prompting on a vulnerable system when a user has configured Excel to do exactly the opposite — that is, to disable all macros without notification.

In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.

By convincing a user to open specially crafted Microsoft Excel content on a Mac that has "Disable all macros without notification" enabled, a remote attacker can gain the same level of access to the system that the legitimate user has, CERT/CC said in its vulnerability note.

"Attackers can do anything that they want by exploiting this issue," says Will Dormann, senior vulnerability analyst at CERT/CC. "They could install a virus, steal private files, or install ransomware. The sky's the limit."

In a statement, a Microsoft spokeswoman said Microsoft was committed to investigating reported security incidents. "We will provide updates for impacted devices as soon as possible."

The problem lies in how Microsoft Excel handles XLM content in SYLK (SYmbolic LinK) files, Dormann says.

XLM is a macro format that used to be available in Excel versions up to and including Excel 4.0. Though Excel versions since then use VBA macros, Microsoft has continued to support XLM macros in later Excel releases, including those available with the latest Office versions for Mac.

SYLK itself is a file format that has been around since the 1980s for transferring data between the spreadsheet, database, and other applications. Though it is barely used these days, SYLK files continue to be supported in recent Office and Excel versions.

Macros in the SYLK format are problematic because Microsoft Office does not open them up in in Protected View — a mechanism for protecting against files downloaded from unsafe locations, CERT/CC said. As a result, SYLK files gives attackers an opening to try and sneak in malicious content on a device without generating any of the usual Microsoft security alerts.

Researchers from IT security firm Outflank last year showed how attackers could embed malicious XLM content in a SYLK file and get it to auto-execute in Office 2011 for Mac without generating any user alert or macro prompt, Dormann says.

At that time, Microsoft had noted that Excel for Mac 2011 was not supported anymore and thus not eligible for security updates, Dormann says. The company had pointed to Mac Excel 2016 and Mac Excel 2019 as responding correctly in the same situation, Dormann says.

But the reality is that while Excel 2016 and 2019 do indeed prompt before running XLM macros in SYLK files, they do so only with the default security setting of "Disable all macros with notification," he says.

If a user were to choose the stronger "Disable all macros without notification" option, the XLM macro would do the opposite. It would run without generating any macro prompt and not just with Office 2011 for Mac, but with Office 2016 and Office 2019 for Mac as well, Dormann notes.

"It's clearly a mistake," he says. "Microsoft can fix the logic error in the handling of the macro setting in Excel for Mac, but this will require them to both fix the software and also deploy the fixed version."

Until that point, the best option for Mac users is to use "Disable all macros with notification" setting instead. "The trade-off with using this setting is that it increases the risk for modern (VBA) macros, but will prevent automatic exploitation with SYLK XLM macros," Dormann says.

Ever since Outflank published its technique of using XLM macros in SYLK files, attackers have been exploiting the issue in the wild, Dormann says. What's new with CERT/CC's advisory is that a security setting "that should protect against exploitation of the technique ironically makes Mac systems more vulnerable," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hachprakash
50%
50%
hachprakash,
User Rank: Apprentice
11/6/2019 | 1:51:40 AM
online training website
Thanks,Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10766
PUBLISHED: 2019-11-19
Pixie versions 1.0.x before 1.0.3, and 2.0.x before 2.0.2 allow SQL Injection in the limit() function due to improper sanitization.
CVE-2019-11289
PUBLISHED: 2019-11-19
Cloud Foundry Routing, all versions before 0.193.0, does not properly validate nonce input. A remote unauthorized malicious user could forge a route service request using an invalid nonce that will cause the Gorouter to crash.
CVE-2011-2922
PUBLISHED: 2019-11-19
ktsuss versions 1.4 and prior spawns the GTK interface to run as root. This can allow a local attacker to escalate privileges to root and use the "GTK_MODULES" environment variable to possibly execute arbitrary code.
CVE-2019-18934
PUBLISHED: 2019-11-19
Unbound 1.6.4 through 1.9.4 contain a vulnerability in the ipsec module that can cause shell code execution after receiving a specially crafted answer. This issue can only be triggered if unbound was compiled with `--enable-ipsecmod` support, and ipsecmod is enabled and used in the configuration.
CVE-2012-6070
PUBLISHED: 2019-11-19
Falconpl before 0.9.6.9-git20120606 misuses the libcurl API which may allow remote attackers to interfere with security checks.