Security Researcher Shows Off Now-Fixed macOS Hack That Used Microsoft Office

by

macOS users could be targeted with malicious attacks using Microsoft Office files that have macros embedded, according to details on the now-fixed exploit shared today by security researcher Patrick Wardle, who also spoke to Motherboard.

microsoftofficemacromacexploit
Hackers have long used Office files with macros embedded in them as a way to get access to Windows computers, but the exploit is also possible on macOS. According to Wardle, a Mac user could potentially be infected just by opening a Microsoft Office file that has a bad macro in it.

Wardle shared a blog post on the exploit that he found for manipulating Office files to impact Macs, which he's highlighting during today's online Black Hat security conference.

Apple fixed the exploit that Wardle used in macOS 10.15.3, so that particular vulnerability is no longer available for hackers to use, but it offers an interesting look at an emerging method of attack that we could see more of in the future.

Wardle's hack was complicated and involved multiple steps, so those interested in full details should read his blog, but basically he used an Office file with an old .slk format to run macros on macOS without informing the user.

"Security researchers love these ancient file formats because they were created at a time when no one was thinking about security," Wardle told Motherboard.

After using the antiquated file format to get macOS to run a macro in Microsoft Office without letting the user know, he used another flaw that let a hacker escape the Microsoft Office Sandbox with a file that uses a $ sign. The file was a .zip file, which macOS didn't check against the notarization protections that prevent users from opening files not from known developers.

A demonstration of a downloaded Microsoft Office file with a macro being used to open up Calculator.

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen, but as Wardle says, only one person needs to fall for it.

Microsoft told Wardle that it has found that "any application, even when sandboxed, is vulnerable to misuse of these APIs," and that it is in contact with Apple to identify and fix issues as they arise. The vulnerabilities that Wardle used to demonstrate how macros can be abused have long since been patched by Apple, but there's always a chance that a similar exploit could pop up later.

Mac users are not invulnerable to viruses and should exercise caution when downloading and opening files from unknown sources, and sometimes, even known sources. It's best to stay away from suspicious Office files and other files that have shady origins, even with the protections that Apple has built into macOS.

Popular Stories

iphone 17 models

No iPhone 18 Launch This Year, Reports Suggest

Thursday January 1, 2026 8:43 am PST by
Apple is not expected to release a standard iPhone 18 model this year, according to a growing number of reports that suggest the company is planning a significant change to its long-standing annual iPhone launch cycle. Despite the immense success of the iPhone 17 in 2025, the iPhone 18 is not expected to arrive until the spring of 2027, leaving the iPhone 17 in the lineup as the latest...
Read Full Article110 comments
Clicks Communicator Feature

'Clicks Communicator' Unveiled — Will You Carry This With Your iPhone?

Friday January 2, 2026 6:35 am PST by
The company behind the BlackBerry-like Clicks Keyboard accessory for the iPhone today unveiled a new Android 16 smartphone called the Clicks Communicator. The purpose-built device is designed to be used as a second phone alongside your iPhone, with the intended focus being communication over content consumption. It runs a custom Android launcher that offers a curated selection of messaging...
Read Full Article142 comments
apple intelligence black

Report: Apple's AI Strategy Could Finally Pay Off in 2026

Tuesday December 30, 2025 9:01 am PST by
Apple's restrained artificial intelligence strategy may pay off in 2026 amid the arrival of a revamped Siri and concerns around the AI market "bubble" bursting, The Information argues. The speculative report notes that Apple has taken a restrained approach with AI innovations compared with peers such as OpenAI, Google, and Meta, which are investing hundreds of billions of dollars in data...
Read Full Article199 comments
duolingo ad live activity

Duolingo Used iPhone's Dynamic Island to Display Ads, Violating Apple Design Guidelines

Friday January 2, 2026 1:36 pm PST by
Language learning app Duolingo has apparently been using the iPhone's Live Activity feature to display ads on the Lock Screen and the Dynamic Island, which violates Apple's design guidelines. According to multiple reports on Reddit, the Duolingo app has been displaying an ad for a "Super offer," which is Duolingo's paid subscription option. Apple's guidelines for Live Activity state that...
Read Full Article53 comments
apple fitness 2026 1

Apple Teases 'Something Big' Coming Soon to Apple Fitness+

Tuesday December 30, 2025 2:11 pm PST by
The Apple Fitness+ Instagram account today teased that the service has "big plans" for 2026. In a video, several Apple Fitness+ trainers are shown holding up newspapers with headlines related to Apple Fitness+. What's Apple Fitness+ Planning for the New Year? Something Big is Coming to Apple Fitness+ The Countdown Begins. Apple Fitness+ 2026 is Almost Here 2026 Plans Still Under ...
Read Full Article121 comments
Mac Pro Feature Blue

What's Happening With the Mac Pro?

Wednesday December 31, 2025 9:59 am PST by
Apple hasn't updated the Mac Pro since 2023, and according to recent rumors, there's no update coming in the near future. In fact, Apple might be finished with the Mac Pro. Bloomberg recently said that the Mac Pro is "on the back burner" and has been "largely written off" by Apple. Apple apparently views the more compact Mac Studio as the ideal high-end pro-level desktop, and it has almost...
Read Full Article249 comments
macbook air march 2020

Apple Says Final Intel MacBook Air and Apple Watch Series 5 Now 'Vintage'

Wednesday December 31, 2025 8:39 am PST by
Apple today added the final 13-inch MacBook Air powered by Intel processors, the Apple Watch Series 5, and additional products to its vintage products list. The iPhone 11 Pro was also added to the list after the iPhone 11 Pro Max was added back in September. The full list of products added to Apple's vintage and obsolete list today: MacBook Air (Retina, 13-inch, 2020) iPhone 8 Plus 128GB ...
Read Full Article83 comments
Apple Fitness Plus hero

Apple Announces New Fitness+ Workout Programs, Strava Challenge, and More

Friday January 2, 2026 6:43 am PST by
Apple today announced a number of updates to Apple Fitness+ and activity with the Apple Watch. The key announcements include: New Year limited-edition award: Users can win the award by closing all three Activity Rings for seven days in a row in January. "Quit Quitting" Strava challenge: Available in Strava throughout January, users who log 12 workouts anytime in the month will win an ...
Read Full Article54 comments

Top Rated Comments

AngerDanger Avatar
AngerDanger
71 months ago
You know **** got real when they break out the slab serif font.

Score: 7 Votes (Like | Disagree)
Chompineer Avatar
Chompineer
71 months ago

Yet another reason NOT to use M$ junk!!
Lol. Chill. Apple is guilty of plenty of faults too.
Score: 5 Votes (Like | Disagree)
coords Avatar
coords
71 months ago
Yet another reason NOT to use M$ junk!!
Score: 5 Votes (Like | Disagree)
PlayUltimate Avatar
PlayUltimate
71 months ago
This is more of a Trojan horse than a virus; albeit, most people don't know the difference.

Note: for extra security, your Admin user should not be your daily user. I always have my family members create a Me (Standard) and Me_Admin (Admin) users when they get a computer. Just makes an extra step to get access to root directories, install apps, etc.
Score: 4 Votes (Like | Disagree)
Mr. Awesome Avatar
Mr. Awesome
71 months ago

You know **** got real when they break out the slab serif font.


And check out those blood splatter icons.

And that hacker wearing a totally inconspicuous hat. And the snake eyes. That’s what real hackers look like, kids.

*Wait, what? They’re not blood icons? That’s way less exciting/terrifying.*
Score: 3 Votes (Like | Disagree)
lionel77 Avatar
lionel77
71 months ago

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen
This part in the article seems wrong. The fact that the exploit requires two logins/restarts does not make it less likely to happen; it just means it might take some time until it becomes fully operational.

Wardle's original article is actually a pretty interesting read, if you have a few minutes. My favorite part is:
if the “Disable all macros without notification” setting is enabled, ironically, this macro code will be automatically executed anytime the document is opened!
Score: 2 Votes (Like | Disagree)
Read All Comments