Security Researcher Shows Off Now-Fixed macOS Hack That Used Microsoft Office

by

macOS users could be targeted with malicious attacks using Microsoft Office files that have macros embedded, according to details on the now-fixed exploit shared today by security researcher Patrick Wardle, who also spoke to Motherboard.

microsoftofficemacromacexploit
Hackers have long used Office files with macros embedded in them as a way to get access to Windows computers, but the exploit is also possible on macOS. According to Wardle, a Mac user could potentially be infected just by opening a Microsoft Office file that has a bad macro in it.

Wardle shared a blog post on the exploit that he found for manipulating Office files to impact Macs, which he's highlighting during today's online Black Hat security conference.

Apple fixed the exploit that Wardle used in macOS 10.15.3, so that particular vulnerability is no longer available for hackers to use, but it offers an interesting look at an emerging method of attack that we could see more of in the future.

Wardle's hack was complicated and involved multiple steps, so those interested in full details should read his blog, but basically he used an Office file with an old .slk format to run macros on macOS without informing the user.

"Security researchers love these ancient file formats because they were created at a time when no one was thinking about security," Wardle told Motherboard.

After using the antiquated file format to get macOS to run a macro in Microsoft Office without letting the user know, he used another flaw that let a hacker escape the Microsoft Office Sandbox with a file that uses a $ sign. The file was a .zip file, which macOS didn't check against the notarization protections that prevent users from opening files not from known developers.

A demonstration of a downloaded Microsoft Office file with a macro being used to open up Calculator.

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen, but as Wardle says, only one person needs to fall for it.

Microsoft told Wardle that it has found that "any application, even when sandboxed, is vulnerable to misuse of these APIs," and that it is in contact with Apple to identify and fix issues as they arise. The vulnerabilities that Wardle used to demonstrate how macros can be abused have long since been patched by Apple, but there's always a chance that a similar exploit could pop up later.

Mac users are not invulnerable to viruses and should exercise caution when downloading and opening files from unknown sources, and sometimes, even known sources. It's best to stay away from suspicious Office files and other files that have shady origins, even with the protections that Apple has built into macOS.

Popular Stories

top stories 2025 12 20

Top Stories: iOS 26.3 Beta, Major Apple Leaks, and More

Saturday December 20, 2025 6:00 am PST by
You'd think things would be slowing down heading into the holidays, but this week saw a whirlwind of Apple leaks and rumors while Apple started its next cycle of betas following last week's release of iOS 26.2 and related updates. This week also saw the release of a new Apple Music integration with ChatGPT, so read on below for all the details on this week's biggest stories! Top Stories i...
Read Full Article19 comments
maxresdefault

Where's the New Apple TV?

Monday December 22, 2025 11:30 am PST by
Apple hasn't updated the Apple TV 4K since 2022, and 2025 was supposed to be the year that we got a refresh. There were rumors suggesting Apple would release the new Apple TV before the end of 2025, but it looks like that's not going to happen now. Subscribe to the MacRumors YouTube channel for more videos. Bloomberg's Mark Gurman said several times across 2024 and 2025 that Apple would...
Read Full Article111 comments
iPhone Top Left Hole Punch Face ID Feature Purple

iPhone 18 Pro Features Leaked in New Report, Including Under-Screen Face ID

Tuesday December 16, 2025 8:44 am PST by
Next year's iPhone 18 Pro and iPhone 18 Pro Max will be equipped with under-screen Face ID, and the front camera will be moved to the top-left corner of the screen, according to a new report from The Information's Wayne Ma and Qianer Liu. As a result of these changes, the report said the iPhone 18 Pro models will not have a pill-shaped Dynamic Island cutout at the top of the screen....
Read Full Article60 comments
ios 18 security update

Don't Want to Upgrade to iOS 26? Here's How to Stay on iOS 18 [Update: Now Unavailable]

Friday December 19, 2025 10:37 am PST by
Since the beginning of December, Apple has been pushing iPhone users who opted to stay on iOS 18 to install iOS 26 instead. Apple started by making the iOS 18 upgrades less visible, and has now transitioned to making new iOS 18 updates unavailable on any device capable of running iOS 26. If you have an iPhone 11 or later, Apple is no longer offering new versions of iOS 18, even though there...
Read Full Article422 comments
iPhone Chips

Apple Clings to Samsung as RAM Prices Soar

Monday December 22, 2025 6:17 am PST by
Apple is significantly increasing its reliance on Samsung for iPhone memory as component prices surge, according to The Korea Economic Daily. Apple is said to be expanding the share of iPhone memory it sources from Samsung due to rapidly rising memory prices. The shift is expected to result in Samsung supplying roughly 60% to 70% of the low-power DRAM used in the iPhone 17, compared with a...
Read Full Article64 comments
iOS 26

iOS 26.3 Brings AirPods-Like Pairing to Third-Party Devices in EU Under DMA

Monday December 22, 2025 3:20 pm PST by
The European Commission today praised the interoperability changes that Apple is introducing in iOS 26.3, once again crediting the Digital Markets Act (DMA) with bringing "new opportunities" to European users and developers. The Digital Markets Act requires Apple to provide third-party accessories with the same capabilities and access to device features that Apple's own products get. In iOS...
Read Full Article45 comments
apple beta 26 lineup

Apple's 2026 and 2027 Product Roadmap: Foldable iPhone, iPhone 18 Pro, M5 Macs, and More

Tuesday December 16, 2025 4:42 pm PST by
There has been a whirlwind of rumors over the last few days, sourced from leaked internal software designed for the iPhone and the Mac, and news sites like The Information. Below, we have a quick recap of everything we've heard this week, which serves as a guide to Apple's product plans in 2026 and beyond. We've organized the info by likely release date, though there are some products that...
Read Full Article44 comments

Top Rated Comments

AngerDanger Avatar
AngerDanger
70 months ago
You know **** got real when they break out the slab serif font.

Score: 7 Votes (Like | Disagree)
Chompineer Avatar
Chompineer
70 months ago

Yet another reason NOT to use M$ junk!!
Lol. Chill. Apple is guilty of plenty of faults too.
Score: 5 Votes (Like | Disagree)
coords Avatar
coords
70 months ago
Yet another reason NOT to use M$ junk!!
Score: 5 Votes (Like | Disagree)
PlayUltimate Avatar
PlayUltimate
70 months ago
This is more of a Trojan horse than a virus; albeit, most people don't know the difference.

Note: for extra security, your Admin user should not be your daily user. I always have my family members create a Me (Standard) and Me_Admin (Admin) users when they get a computer. Just makes an extra step to get access to root directories, install apps, etc.
Score: 4 Votes (Like | Disagree)
Mr. Awesome Avatar
Mr. Awesome
70 months ago

You know **** got real when they break out the slab serif font.


And check out those blood splatter icons.

And that hacker wearing a totally inconspicuous hat. And the snake eyes. That’s what real hackers look like, kids.

*Wait, what? They’re not blood icons? That’s way less exciting/terrifying.*
Score: 3 Votes (Like | Disagree)
lionel77 Avatar
lionel77
70 months ago

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen
This part in the article seems wrong. The fact that the exploit requires two logins/restarts does not make it less likely to happen; it just means it might take some time until it becomes fully operational.

Wardle's original article is actually a pretty interesting read, if you have a few minutes. My favorite part is:
if the “Disable all macros without notification” setting is enabled, ironically, this macro code will be automatically executed anytime the document is opened!
Score: 2 Votes (Like | Disagree)
Read All Comments