Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

11/4/2019
06:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Security Setting Ironically Increases Risks for Office for Mac Users

Excel's handling of an old macro format gives unauthenticated remote attackers a way to take control of vulnerable systems, Carnegie Mellon's CERT/CC says.

A Microsoft security setting designed to keep users safe from Internet-borne threats has actually made users running the latest versions of Microsoft Office for Mac more vulnerable to remote attacks.

Carnegie Mellon University's CERT Coordination Center (CERT/CC) on Friday warned that systems running Microsoft Office for Mac — including fully patched Office 2016 and Office 2019 versions — can be attacked remotely because of a trivially exploitable bug in Excel involving XLM, an old macro format.

The bug results in XLM macros being enabled to run without prompting on a vulnerable system when a user has configured Excel to do exactly the opposite — that is, to disable all macros without notification.

In a note Friday, CERT/CC at Carnegie Mellon University described the issue as giving unauthenticated remote attackers a way to execute arbitrary code on systems running Office for Mac.

By convincing a user to open specially crafted Microsoft Excel content on a Mac that has "Disable all macros without notification" enabled, a remote attacker can gain the same level of access to the system that the legitimate user has, CERT/CC said in its vulnerability note.

"Attackers can do anything that they want by exploiting this issue," says Will Dormann, senior vulnerability analyst at CERT/CC. "They could install a virus, steal private files, or install ransomware. The sky's the limit."

In a statement, a Microsoft spokeswoman said Microsoft was committed to investigating reported security incidents. "We will provide updates for impacted devices as soon as possible."

The problem lies in how Microsoft Excel handles XLM content in SYLK (SYmbolic LinK) files, Dormann says.

XLM is a macro format that used to be available in Excel versions up to and including Excel 4.0. Though Excel versions since then use VBA macros, Microsoft has continued to support XLM macros in later Excel releases, including those available with the latest Office versions for Mac.

SYLK itself is a file format that has been around since the 1980s for transferring data between the spreadsheet, database, and other applications. Though it is barely used these days, SYLK files continue to be supported in recent Office and Excel versions.

Macros in the SYLK format are problematic because Microsoft Office does not open them up in in Protected View — a mechanism for protecting against files downloaded from unsafe locations, CERT/CC said. As a result, SYLK files gives attackers an opening to try and sneak in malicious content on a device without generating any of the usual Microsoft security alerts.

Researchers from IT security firm Outflank last year showed how attackers could embed malicious XLM content in a SYLK file and get it to auto-execute in Office 2011 for Mac without generating any user alert or macro prompt, Dormann says.

At that time, Microsoft had noted that Excel for Mac 2011 was not supported anymore and thus not eligible for security updates, Dormann says. The company had pointed to Mac Excel 2016 and Mac Excel 2019 as responding correctly in the same situation, Dormann says.

But the reality is that while Excel 2016 and 2019 do indeed prompt before running XLM macros in SYLK files, they do so only with the default security setting of "Disable all macros with notification," he says.

If a user were to choose the stronger "Disable all macros without notification" option, the XLM macro would do the opposite. It would run without generating any macro prompt and not just with Office 2011 for Mac, but with Office 2016 and Office 2019 for Mac as well, Dormann notes.

"It's clearly a mistake," he says. "Microsoft can fix the logic error in the handling of the macro setting in Excel for Mac, but this will require them to both fix the software and also deploy the fixed version."

Until that point, the best option for Mac users is to use "Disable all macros with notification" setting instead. "The trade-off with using this setting is that it increases the risk for modern (VBA) macros, but will prevent automatic exploitation with SYLK XLM macros," Dormann says.

Ever since Outflank published its technique of using XLM macros in SYLK files, attackers have been exploiting the issue in the wild, Dormann says. What's new with CERT/CC's advisory is that a security setting "that should protect against exploitation of the technique ironically makes Mac systems more vulnerable," he adds.

Related Content:

This free, all-day online conference offers a look at the latest tools, strategies, and best practices for protecting your organization’s most sensitive data. Click for more information and, to register, here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hachprakash
50%
50%
hachprakash,
User Rank: Apprentice
11/6/2019 | 1:51:40 AM
online training website
Thanks,Inspiring writings and I greatly admired what you have to say , I hope you continue to provide new ideas for us all and greetings success always for you..Keep update more information
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18862
PUBLISHED: 2019-11-11
maidag in GNU Mailutils before 3.8 is installed setuid and allows local privilege escalation in the url mode.
CVE-2019-18853
PUBLISHED: 2019-11-11
ImageMagick before 7.0.9-0 allows remote attackers to cause a denial of service because XML_PARSE_HUGE is not properly restricted in coders/svg.c, related to SVG and libxml2.
CVE-2019-18854
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to unlimited recursion for a '<use ... xlink:href="#identifier">' substring.
CVE-2019-18855
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the safe-svg (aka Safe SVG) plugin through 1.9.4 for WordPress, related to potentially unwanted elements or attributes.
CVE-2019-18856
PUBLISHED: 2019-11-11
A Denial Of Service vulnerability exists in the SVG Sanitizer module through 8.x-1.0-alpha1 for Drupal because access to external resources with an SVG use element is mishandled.