Security Researcher Shows Off Now-Fixed macOS Hack That Used Microsoft Office

macOS users could be targeted with malicious attacks using Microsoft Office files that have macros embedded, according to details on the now-fixed exploit shared today by security researcher Patrick Wardle, who also spoke to Motherboard.

microsoftofficemacromacexploit
Hackers have long used Office files with macros embedded in them as a way to get access to Windows computers, but the exploit is also possible on macOS. According to Wardle, a Mac user could potentially be infected just by opening a Microsoft Office file that has a bad macro in it.

Wardle shared a blog post on the exploit that he found for manipulating Office files to impact Macs, which he's highlighting during today's online Black Hat security conference.

Apple fixed the exploit that Wardle used in macOS 10.15.3, so that particular vulnerability is no longer available for hackers to use, but it offers an interesting look at an emerging method of attack that we could see more of in the future.

Wardle's hack was complicated and involved multiple steps, so those interested in full details should read his blog, but basically he used an Office file with an old .slk format to run macros on macOS without informing the user.

"Security researchers love these ancient file formats because they were created at a time when no one was thinking about security," Wardle told Motherboard.

After using the antiquated file format to get macOS to run a macro in Microsoft Office without letting the user know, he used another flaw that let a hacker escape the Microsoft Office Sandbox with a file that uses a $ sign. The file was a .zip file, which macOS didn't check against the notarization protections that prevent users from opening files not from known developers.

A demonstration of a downloaded Microsoft Office file with a macro being used to open up Calculator.

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen, but as Wardle says, only one person needs to fall for it.

Microsoft told Wardle that it has found that "any application, even when sandboxed, is vulnerable to misuse of these APIs," and that it is in contact with Apple to identify and fix issues as they arise. The vulnerabilities that Wardle used to demonstrate how macros can be abused have long since been patched by Apple, but there's always a chance that a similar exploit could pop up later.

Mac users are not invulnerable to viruses and should exercise caution when downloading and opening files from unknown sources, and sometimes, even known sources. It's best to stay away from suspicious Office files and other files that have shady origins, even with the protections that Apple has built into macOS.

Top Rated Comments

AngerDanger Avatar
18 months ago
You know **** got real when they break out the slab serif font.

Score: 7 Votes (Like | Disagree)
Chompineer Avatar
18 months ago

Yet another reason NOT to use M$ junk!!
Lol. Chill. Apple is guilty of plenty of faults too.
Score: 5 Votes (Like | Disagree)
coords Avatar
18 months ago
Yet another reason NOT to use M$ junk!!
Score: 5 Votes (Like | Disagree)
PlayUltimate Avatar
18 months ago
This is more of a Trojan horse than a virus; albeit, most people don't know the difference.

Note: for extra security, your Admin user should not be your daily user. I always have my family members create a Me (Standard) and Me_Admin (Admin) users when they get a computer. Just makes an extra step to get access to root directories, install apps, etc.
Score: 4 Votes (Like | Disagree)
Mr. Awesome Avatar
18 months ago

You know **** got real when they break out the slab serif font.


And check out those blood splatter icons.

And that hacker wearing a totally inconspicuous hat. And the snake eyes. That’s what real hackers look like, kids.

*Wait, what? They’re not blood icons? That’s way less exciting/terrifying.*
Score: 3 Votes (Like | Disagree)
lionel77 Avatar
18 months ago

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen
This part in the article seems wrong. The fact that the exploit requires two logins/restarts does not make it less likely to happen; it just means it might take some time until it becomes fully operational.

Wardle's original article is actually a pretty interesting read, if you have a few minutes. My favorite part is:
if the “Disable all macros without notification” setting is enabled, ironically, this macro code will be automatically executed anytime the document is opened!
Score: 2 Votes (Like | Disagree)

Popular Stories

macbook pro 13 inch banner

Apple Planning Five New Macs for 2022, Including Entry-Level MacBook Pro Refresh

Sunday December 5, 2021 7:55 am PST by
Apple is working on five new Macs for launch in 2022, including a new version of the entry-level MacBook Pro, according to Bloomberg's Mark Gurman. In the latest edition of his "Power On" newsletter, Gurman said that he expects Apple to launch five new Macs in 2022, including: A high-end iMac with Apple silicon to sit above the 24-inch iMac in the lineup A significant MacBook Air...
apple watch series 7 aluminum colors

2022 Apple Watch Lineup Rumored to Include New Apple Watch SE and 'Rugged' Model for Sports

Sunday December 5, 2021 8:22 am PST by
Apple is planning an entire revamp of its Apple Watch lineup for 2022, including an update to the Apple Watch SE and a new Apple Watch with a rugged design aimed at sports athletes, according to respected Bloomberg journalist Mark Gurman. Writing in the latest installment of his Power On newsletter, Gurman said that for 2022, alongside the Apple Watch Series 8, Apple is planning an update to ...
airtag in hand

Apple AirTag Linked to Increasing Number of Car Thefts, Canadian Police Report

Friday December 3, 2021 7:10 am PST by
Apple's AirTags are being used in an increasing number of targeted car thefts in Canada, according to local police. Outlined in a news release from York Regional Police, investigators have identified a new method being used by thieves to track down and steal high-end vehicles that takes advantage of the AirTag's location tracking capabilities. While the method of stealing the cars is largely ...
1x 1

Apple CEO Tim Cook 'Secretly' Signed $275 Billion Deal With China in 2016

Tuesday December 7, 2021 6:49 am PST by
Apple CEO Tim Cook "secretly" signed an agreement worth more than $275 billion with Chinese officials, promising that Apple would help to develop China's economy and technological capabilities, The Information reports. In an extensive paywalled report based on interviews and purported internal Apple documents, The Information revealed that Tim Cook personally forged a five-year agreement...
ipad air arrive feature

iPad Pro With Wireless Charging, iPad Air 5, and iPad 10 Reported to Debut in 2022

Sunday December 5, 2021 8:54 am PST by
Apple is preparing to update three of its iPad models in 2022, including the entry-level iPad, iPad Air, and iPad Pro, according to Bloomberg's Mark Gurman. In his latest "Power On" newsletter, Gurman reiterated Apple's plans to release a new iPad Pro in 2022, featuring a new design and wireless charging, and clarified the company's intention to release new versions of the entry-level iPad...
2021 MBP SD Card Error Feature

Some SD Cards Not Working Properly With 2021 14 and 16-Inch MacBook Pros

Monday December 6, 2021 2:02 pm PST by
The SD card reader slot on the new 14 and 16-inch MacBook Pro models is not functioning as expected with some SD cards, according to multiple reports on the MacRumors forums. In a long complaint thread, MacRumors readers have detailed the issues that they're having with some SD cards, and there seems to be little consistency between reports and affected SD cards. Some SD cards crash and...
airpods pro blue holiday 3

Deals: AirPods Pro With MagSafe Available for $169.99 and Christmas Delivery on Amazon ($79 Off) [Update: Expired]

Monday December 6, 2021 6:03 am PST by
Amazon today has Apple's AirPods Pro with MagSafe Charging Case for $169.99 and delivery before Christmas Day, down from an original price of $249.00. This is $10 off from the rock bottom $159.99 price tag we tracked on Black Friday and Cyber Monday, and still a great deal for anyone shopping this holiday season. Note: MacRumors is an affiliate partner with Amazon. When you click a link and...
life360 app

Tile Buyer Life360 Selling Precise Location Data on Millions of Users

Monday December 6, 2021 1:05 pm PST by
Location tracking service Life360 has been selling the precise location data of tens of millions of its users, according to a new report shared by The Markup. Life360 bills itself as a "family safety platform" app that is meant to allow family members to keep tabs on one another with tracking software that's installed on smartphones, and there are both Android and iPhone apps. The...