Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Now-fixed exploit used Microsoft Office macros to hack macOS

A now-fixed exploit in the macOS version of Microsoft Office may have allowed attackers to hack a Mac user just by getting them to open a document.

The exploit was developed by Jamf security engineer and ex-NSA hacker Patrick Wardle, who has long specialized in hacking Macs. Wardle showed off the attack method at the Black Hat 2020 security conference Wednesday.

As he explained on his blog, it takes advantage of macros in Microsoft Office. That's an age-old technique for hacking Windows, but Mac-targeting macro attacks are "growing in popularity and are quite en vogue," Wardle wrote.

Leveraging macros, which are essentially small programs embedded in files, is only one part of the equation. To actually get the exploit to work, Wardle had to string together several other vulnerabilities.

By creating a file with an old .slk format, Wardle was able to get Office to run macros without alerting the user Adding a "$" character to the start of the filename allowed Wardle to escape the macOS sandbox. Finally, Wardle zipped the file into a .zip format — which macOS doesn't check against its notarization requirements.

The attack is complicated, but illustrates a good point about the way an attacker may think. By leveraging multiple vulnerabilities and techniques, Wardle was able to create an exploit that only required users to double-click a Word document.

Wardle notes that a user still needs to authenticate some of the actions by logging in. But if a user does authenticate it, an attacker could install backdoors or other malicious files — opening the door to further attacks.

Luckily for Mac users, the vulnerabilities that Wardle took advantage of were patched in the latest version of Office on Mac and macOS 10.15.3. Still, with macro-based attacks on the rise, it's likely that similar vulnerabilities could come to light in the future.

Wardle alerted both Microsoft and Apple of the flaws, but told Motherboard that the latter company didn't respond to his report.

Apple opened a bug bounty program for macOS in 2019, but Wardle told Motherboard that he has never received any money from the company for exploits or vulnerabilities that he has discovered.



5 Comments

dr. x 278 comments · 19 Years

So what version is the patched one?

I assume it's version 16.39 which I updated earlier today.

Rayz2016 6957 comments · 8 Years

Yes, one of Microsoft’s to the computing world is VBA – Virus Basic for Applications, a programming language that simplified the creation of cross-platform malware. Not surprised to see they’ve introduced a new malware platform for the Cloud age. 

And Apple. Not checking zip files? Allowing macros out of the sandbox? Really?

lkrupp 10521 comments · 19 Years

Rayz2016 said:
Yes, one of Microsoft’s to the computing world is VBA – Virus Basic for Applications, a programming language that simplified the creation of cross-platform malware. Not surprised to see they’ve introduced a new malware platform for the Cloud age. 
And Apple. Not checking zip files? Allowing macros out of the sandbox? Really?

Well, when I open a document with macros I get a warning from macOS that asks me if I still want open it with-or-without the macros enabled.

Rayz2016 6957 comments · 8 Years

lkrupp said:
Rayz2016 said:
Yes, one of Microsoft’s to the computing world is VBA – Virus Basic for Applications, a programming language that simplified the creation of cross-platform malware. Not surprised to see they’ve introduced a new malware platform for the Cloud age. 
And Apple. Not checking zip files? Allowing macros out of the sandbox? Really?
Well, when I open a document with macros I get a warning from macOS that asks me if I still want open it with-or-without the macros enabled.

Ah. I did not know that.

They should still be checking zip files though.