Security researchers demonstrate macOS attacks based on Office macro files.

Security researcher Patrick Wardle has just blogged details of a fixed vulnerability that demonstrates a way to launch a malicious attack on macOS users based on a Microsoft Office file embedded in a macro. Many people have long considered such attacks to be limited to the Windows operating system, but it turns out that macOS platforms face the same problem. Wardle points out that simply opening A Microsoft Office files that contain well-crafted macro operations can also lead to an infection of Mac users.

Security researchers demonstrate macOS attacks based on Office macro files.

(From: Objective-See Blog)

Wardle highlighted the dangers of the vulnerability at today’s Black Hat security conference online, and thankfully Apple has fixed it in macOS 10.15.3.

The attack operation sdemonstrated by Wardle is complex and involves multiple steps. Even so, it provides an interesting perspective on emerging attack methods, and more macOS attacks may be ushered in in the future.

Essentially, he takes advantage of an old .slk-format Office macro file that is able to run macro operations on macOS without notifying the user.

“Security researchers love these ancient file formats because they were created without anyone considering security,” Wardle told Motherboard.

Security researchers demonstrate macOS attacks based on Office macro files.

After using outdated file formats to get macOS to run macro operations in Microsoft Office without notifying users, Wardle also exploited another vulnerability, using files with the symbol to escape from the sandbox.

MacOS is subject to security checks because it is downloading a file in the .zip format. Under the correct defense policy, Apple should have prevented users from opening files from non-known developers.

In order to trigger different steps in the exploit chain, it requires the target person to log on to the Mac in two different scenarios. Although the probability of a final draw is small, Wardle issues his warning.

Microsoft notes that it has found that “even in sandboxes, any application is highly vulnerable to API abuse.” To that end, the company has contacted Apple to fix the problem.

Finally, we recommend that Mac users keep good use of their habits. Even if Apple already has some protection built into macOS, we need to be vigilant when downloading and opening files from non-trusted/suspicious sources.