Microsoft Office for Mac could enable hackers to sidestep endpoint protection

News by Rene Millman

Security researchers have warned that XML macros embedded in SYLK files can evade defences in Microsoft Office for Mac and can't be disabled.

Security researchers have warned that XML macros embedded in SYLK files can evade defences in Microsoft Office for Mac.

According to a security advisory from the US-CERT, symbolic link (SYLK) files could harbour threatening Extensible Markup Language (XML) macros.

"XML macros can be incorporated into SYLK files," said researchers. "Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users."

This type of macro has been replaced by Visual Basic for Applications (VBA) macros. However, XLM macros are still supported by all Microsoft Office versions and can be added to SYLK files, for example. SYmbolic LinK (SYLK) is a file format from Microsoft that dates back to the 1980s and is mainly used to exchange data between applications, in particular spreadsheets.

Macros in the SYLK format are a problem because the Protected View sandbox from Microsoft Office does not apply to this file format. Protected View is intended to protect Office users against malicious code, but Protected View does not open SYLK files. 

"This means that users may be a single click away from arbitrary code execution via a document that originated from the internet," said the advisory.

Office 2011 for Mac does not warn users when opening SYLK files with XLM macros. Office 2016 and 2019 for Mac do warn about executing XLM macros in SYLK files. However, when Office for Mac is set with the "Disable all macros without notification" option, the XLM macros in SYLK files are executed automatically without warning users. This has been tested with fully patched versions of Office 2016 and 2019 for Mac.

When a Mac user opens a SYLK file (.SLK) with Office 2016 or 2019 where "Disable all macros without notification" is enabled, an attacker can execute arbitrary code with the rights of the logged in user. According to the CERT, there are currently no practical solutions available. Organisations are advised to block SYLK files on mail and web gateways.

Another option is to enable the "Disable all macros with notification" option. This option is less secure than the option where users are not notified, but in this case is a better option for Mac users as long as Microsoft has not released a security update.

Peter Draper, technical director – EMEA for Gurucul, told SC Media UK that the possibilities are open for hackers to be able to run arbitrary code, through attached excel files, which can achieve many things from accessing data, sending information, or becoming part of an attack on other devices/organisations.

"The only true way to identify if an attack is active using this vulnerability is by using behaviour analytics to identify anomalous and risky behaviour for users and devices.  This would highlight where the behaviour of the attack is outside of the normal baseline for the user/device and allow alerting and response," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews