PSA: Turning off silent macros in Office for Mac leaves users wide open to silent macro attacks

Microsoft seems a bit hazy on what 'disable' actually means

A security hole in Office for Mac can be exploited by miscreants to potentially run malicious code on victims' shiny computers without anyone noticing.

The CERT Coordination Center at Carnegie Melon University, on the US East Coast, warns the bug arises when folks activate the "disable all macros without notification" option in Office for Mac. This itself is a good security move, in that it's supposed to block code embedded in documents from running without first asking the user for approval.

However, with this setting switched on, one type of macro, XLM, remains enabled, and will run without any notification when a document is opened, CERT has warned.

"If Office for the Mac has been configured to use the 'Disable all macros without notification' feature, XLM macros in SYLK files are executed without prompting the user," CERT explains. "We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems."

As you might imagine, having XLM macros running without any kind of prompt is a serious risk. The macro language is powerful enough to launch files and execute commands, meaning an attacker will effectively have remote code execution on the target system with the current user's security clearance.

"Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users," says CERT CC. "This means that users may be a single click away from arbitrary code execution via a document that originated from the internet."

Illustration of a bomb in an email

Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't


In practice, an attacker could exploit the bug by embedding malicious XLM code into an SYLK file and then, via spear-phishing or other social engineering methods, convince a mark to open the poisoned file in Office for Mac.

When Microsoft was asked for comment, its spinners provided the following heavily encrypted response: "Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."

Make of that what you will. It sounds as though it will be patched soon, maybe?

While there is no fix available right now for the security shortcoming, users can opt to "disable all macros with notification." As CERT CC put it earlier this month:

Although "Disable all macros with notification" is less secure than "Disable all macros without notification" for modern VBA macros, the latter setting can allow for arbitrary code execution without any prompting when an XLM macro is used in a SYLK file. Until this issue is addressed, using the "Disable all macros with notification" is a more secure setting on Mac systems.

Alternatively, administrators can protect end-users by setting their email and web gateways to filter out SYLK (extension .slk) files. Perhaps that option is best. ®

Other stories you might like

  • DigitalOcean tries to take sting out of price hike with $4 VM
    Cloud biz says it is reacting to customer mix largely shifting from lone devs to SMEs

    DigitalOcean attempted to lessen the sting of higher prices this week by announcing a cut-rate instance aimed at developers and hobbyists.

    The $4-a-month droplet — what the infrastructure-as-a-service outfit calls its virtual machines — pairs a single virtual CPU with 512 MB of memory, 10 GB of SSD storage, and 500 GB a month in network bandwidth.

    The launch comes as DigitalOcean plans a sweeping price hike across much of its product portfolio, effective July 1. On the low-end, most instances will see pricing increase between $1 and $16 a month, but on the high-end, some products will see increases of as much as $120 in the case of DigitalOceans’ top-tier storage-optimized virtual machines.

    Continue reading
  • GPL legal battle: Vizio told by judge it will have to answer breach-of-contract claims
    Fine-print crucially deemed contractual agreement as well as copyright license in smartTV source-code case

    The Software Freedom Conservancy (SFC) has won a significant legal victory in its ongoing effort to force Vizio to publish the source code of its SmartCast TV software, which is said to contain GPLv2 and LGPLv2.1 copyleft-licensed components.

    SFC sued Vizio, claiming it was in breach of contract by failing to obey the terms of the GPLv2 and LGPLv2.1 licenses that require source code to be made public when certain conditions are met, and sought declaratory relief on behalf of Vizio TV owners. SFC wanted its breach-of-contract arguments to be heard by the Orange County Superior Court in California, though Vizio kicked the matter up to the district court level in central California where it hoped to avoid the contract issue and defend its corner using just federal copyright law.

    On Friday, Federal District Judge Josephine Staton sided with SFC and granted its motion to send its lawsuit back to superior court. To do so, Judge Staton had to decide whether or not the federal Copyright Act preempted the SFC's breach-of-contract allegations; in the end, she decided it didn't.

    Continue reading
  • US brings first-of-its-kind criminal charges of Bitcoin-based sanctions-busting
    Citizen allegedly moved $10m-plus in BTC into banned nation

    US prosecutors have accused an American citizen of illegally funneling more than $10 million in Bitcoin into an economically sanctioned country.

    It's said the resulting criminal charges of sanctions busting through the use of cryptocurrency are the first of their kind to be brought in the US.

    Under the United States' International Emergency Economic Powers Act (IEEA), it is illegal for a citizen or institution within the US to transfer funds, directly or indirectly, to a sanctioned country, such as Iran, Cuba, North Korea, or Russia. If there is evidence the IEEA was willfully violated, a criminal case should follow. If an individual or financial exchange was unwittingly involved in evading sanctions, they may be subject to civil action. 

    Continue reading

Biting the hand that feeds IT © 1998–2022