A security hole in Office for Mac can be exploited by miscreants to potentially run malicious code on victims' shiny computers without anyone noticing.
The CERT Coordination Center at Carnegie Melon University, on the US East Coast, warns the bug arises when folks activate the "disable all macros without notification" option in Office for Mac. This itself is a good security move, in that it's supposed to block code embedded in documents from running without first asking the user for approval.
However, with this setting switched on, one type of macro, XLM, remains enabled, and will run without any notification when a document is opened, CERT has warned.
"If Office for the Mac has been configured to use the 'Disable all macros without notification' feature, XLM macros in SYLK files are executed without prompting the user," CERT explains. "We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems."
As you might imagine, having XLM macros running without any kind of prompt is a serious risk. The macro language is powerful enough to launch files and execute commands, meaning an attacker will effectively have remote code execution on the target system with the current user's security clearance.
"Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users," says CERT CC. "This means that users may be a single click away from arbitrary code execution via a document that originated from the internet."
Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven'tREAD MORE
In practice, an attacker could exploit the bug by embedding malicious XLM code into an SYLK file and then, via spear-phishing or other social engineering methods, convince a mark to open the poisoned file in Office for Mac.
When Microsoft was asked for comment, its spinners provided the following heavily encrypted response: "Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."
Make of that what you will. It sounds as though it will be patched soon, maybe?
While there is no fix available right now for the security shortcoming, users can opt to "disable all macros with notification." As CERT CC put it earlier this month:
Although "Disable all macros with notification" is less secure than "Disable all macros without notification" for modern VBA macros, the latter setting can allow for arbitrary code execution without any prompting when an XLM macro is used in a SYLK file. Until this issue is addressed, using the "Disable all macros with notification" is a more secure setting on Mac systems.
Alternatively, administrators can protect end-users by setting their email and web gateways to filter out SYLK (extension .slk) files. Perhaps that option is best. ®