Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Security Setting Ironically Increases Risks for Office for Mac Users

Excel's handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon's CERT/CC says.

A Microsoft security setting designed to keep users safe from Internet-borne threats has actually made users running the latest versions of Microsoft Office for Mac more vulnerable to remote attacks.

Carnegie Mellon University's CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format.

The bug results in XLM macros being enabled to run without prompting on a vulnerable system when a user has configured Excel to do exactly the opposite — that is, to disable all macros without notification.

In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.

By convincing a user to open specially crafted Microsoft Excel content on a Mac that has "Disable all macros without notification" enabled, a remote attacker can gain the same level of access to the system that the legitimate user has, CERT/CC said in its vulnerability note.

"Attackers can do anything that they want by exploiting this issue," says Will Dormann, senior vulnerability analyst at CERT/CC. "They could install a virus, steal private files, or install ransomware. The sky's the limit."

In a statement, a Microsoft spokeswoman said Microsoft was committed to investigating reported security incidents. "We will provide updates for impacted devices as soon as possible."

The problem lies in how Microsoft Excel handles XLM content in SYLK (SYmbolic LinK) files, Dormann says.

XLM is a macro format that used to be available in Excel versions up to and including Excel 4.0. Though Excel versions since then use VBA macros, Microsoft has continued to support XLM macros in later Excel releases, including those available with the latest Office versions for Mac.

SYLK itself is a file format that has been around since the 1980s for transferring data between the spreadsheet, database, and other applications. Though it is barely used these days, SYLK files continue to be supported in recent Office and Excel versions.

Macros in the SYLK format are problematic because Microsoft Office does not open them up in in Protected View — a mechanism for protecting against files downloaded from unsafe locations, CERT/CC said. As a result, SYLK files gives attackers an opening to try and sneak in malicious content on a device without generating any of the usual Microsoft security alerts.

Researchers from IT security firm Outflank last year showed how attackers could embed malicious XLM content in a SYLK file and get it to auto-execute in Office 2011 for Mac without generating any user alert or macro prompt, Dormann says.

At that time, Microsoft had noted that Excel for Mac 2011 was not supported anymore and thus not eligible for security updates, Dormann says. The company had pointed to Mac Excel 2016 and Mac Excel 2019 as responding correctly in the same situation, Dormann says.

But the reality is that while Excel 2016 and 2019 do indeed prompt before running XLM macros in SYLK files, they do so only with the default security setting of "Disable all macros with notification," he says.

If a user were to choose the stronger "Disable all macros without notification" option, the XLM macro would do the opposite. It would run without generating any macro prompt and not just with Office 2011 for Mac, but with Office 2016 and Office 2019 for Mac as well, Dormann notes.

"It's clearly a mistake," he says. "Microsoft can fix the logic error in the handling of the macro setting in Excel for Mac, but this will require them to both fix the software and also deploy the fixed version."

Until that point, the best option for Mac users is to use "Disable all macros with notification" setting instead. "The trade-off with using this setting is that it increases the risk for modern (VBA) macros, but will prevent automatic exploitation with SYLK XLM macros," Dormann says.

Ever since Outflank published its technique of using XLM macros in SYLK files, attackers have been exploiting the issue in the wild, Dormann says. What's new with CERT/CC's advisory is that a security setting "that should protect against exploitation of the technique ironically makes Mac systems more vulnerable," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hachprakash
50%
50%
hachprakash,
User Rank: Apprentice
11/6/2019 | 1:51:40 AM
online training website
Thanks,Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...