Specialists from the CERT Coordination Center at Carnegie Mellon University (USA) reported a problem, which “disables all macros without notification” option in Microsoft Office for Mac. Disabling macros puts users at risk.
The option is a security measure that blocks the execution of code embedded in documents without first asking the user for confirmation. However, if this option is enabled, XLM macros in SYLK files will remain enabled and will work without any notification when opening a document. According to experts, this problem is observed in Office 2016 and Office 2019 for Mac.The Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system”, — reported in notification from Software Engineering Institute of Carnegie Mellon University.
Running XLM macros without any clues puts users at risk. Macro language features let you run files and execute commands. Thus, an attacker can remotely execute code on the target system.
The problem with SYLK macros is that Microsoft Office does not open in secure browsing mode to protect users’ security. This means that users can be in one click from the execution of arbitrary code through a document created on the Internet”, — the experts explain.
An attacker could exploit the vulnerability by injecting malicious XLM code into a SYLK file, and then using phishing attacks or other social engineering methods to convince the user to open the infected file in Office for Mac.
Read also: Windows 10 Update Disables Microsoft Defender
So far, Microsoft has not released a fix for this issue.
Here’s what the experts at Carnegie Mellon University advise:
The CERT/CC is currently unaware of a practical solution to this problem. Please consider the following workarounds:
- Block SYLK files at email and web gateways
- SYLK files, which have the file extension SLK, should be blocked at email and web gateways to help prevent exploitation of this vulnerability.
- Enable the “Disable all macros with notification” security setting
- Although “Disable all macros with notification” is less secure than “Disable all macros without notification” for modern VBA macros, the latter setting can allow for arbitrary code execution without any prompting when an XLM macro is used in a SYLK file. Until this issue is addressed, using the “Disable all macros with notification” is a more secure setting on Mac systems.
