Security Researcher Shows Off Now-Fixed macOS Hack That Used Microsoft Office

[MacRumors]

macOS users could be targeted with malicious attacks using Microsoft Office files that have macros embedded, according to details on the now-fixed exploit shared today by security researcher Patrick Wardle, who also spoke to Motherboard.

Hackers have long used Office files with macros embedded in them as a way to get access to Windows computers, but the exploit is also possible on macOS. According to Wardle, a Mac user could potentially be infected just by opening a Microsoft Office file that has a bad macro in it.

Wardle shared a blog post on the exploit that he found for manipulating Office files to impact Macs, which he's highlighting during today's online Black Hat security conference.

Apple fixed the exploit that Wardle used in macOS 10.15.3, so that particular vulnerability is no longer available for hackers to use, but it offers an interesting look at an emerging method of attack that we could see more of in the future.

Wardle's hack was complicated and involved multiple steps, so those interested in full details should read his blog, but basically he used an Office file with an old .slk format to run macros on macOS without informing the user.

"Security researchers love these ancient file formats because they were created at a time when no one was thinking about security," Wardle told Motherboard.

After using the antiquated file format to get macOS to run a macro in Microsoft Office without letting the user know, he used another flaw that let a hacker escape the Microsoft Office Sandbox with a file that uses a $ sign. The file was a .zip file, which macOS didn't check against the notarization protections that prevent users from opening files not from known developers.

A demonstration of a downloaded Microsoft Office file with a macro being used to open up Calculator.​

​

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen, but as Wardle says, only one person needs to fall for it.

Microsoft told Wardle that it has found that "any application, even when sandboxed, is vulnerable to misuse of these APIs," and that it is in contact with Apple to identify and fix issues as they arise. The vulnerabilities that Wardle used to demonstrate how macros can be abused have long since been patched by Apple, but there's always a chance that a similar exploit could pop up later.

Mac users are not invulnerable to viruses and should exercise caution when downloading and opening files from unknown sources, and sometimes, even known sources. It's best to stay away from suspicious Office files and other files that have shady origins, even with the protections that Apple has built into macOS.

Article Link: Security Researcher Shows Off Now-Fixed macOS Hack That Used Microsoft Office

 

[coords]

Yet another reason NOT to use M$ junk!!

 

[now i see it]

Most Mac users aren't running MacOS 10.15.3 which fixed the vulnerability- so to all of you out there - you're still screwed

 

[AngerDanger]

You know **** got real when they break out the slab serif font.

 

[Valérie Giguère]

Most Mac users aren't running MacOS 10.15.3 which fixed the vulnerability- so to all of you out there - you're still screwed

Exactly. I'm running Mojave and won't upgrade so why didn't Apple just include the patch in the Security Update for Mojave instead ?

 

[PlayUltimate]

This is more of a Trojan horse than a virus; albeit, most people don't know the difference.

Note: for extra security, your Admin user should not be your daily user. I always have my family members create a Me (Standard) and Me_Admin (Admin) users when they get a computer. Just makes an extra step to get access to root directories, install apps, etc.

 

[JosephAW]

At what point in the hack do I enter my administrator account password to gain root access?

 

[ArtOfWarfare]

At what point in the hack do I enter my administrator account password to gain root access?

I wonder if we care too much about root access. Without root access, a hacker can still set up crypto-mining and transfer everything mined to their own wallet.

 

[Chompineer]

Yet another reason NOT to use M$ junk!!

Lol. Chill. Apple is guilty of plenty of faults too.

 

[MauiPa]

Most Mac users aren't running MacOS 10.15.3 which fixed the vulnerability- so to all of you out there - you're still screwed

haha. Only if you use that crappy software and open one of the office file with the bug in it, which most people won't be doing. so I guess, screwed is a relative term?

 

[MauiPa]

Lol. Chill. Apple is guilty of plenty of faults too.

plenty, as in a heck of a lot less? Agreed.

This highlights one of the real flaws in Microsoft's obsession with backward compatibility. Did you notice the problem arises from being allowed to open a file format that no one even remembers anymore? some old doggy code buried in (the known to be a security risk for years) macros, that should have been excised when they actually fixed the security holes in the macro code years ago. Yet, the old unfixed file formats can still be opened? How much of this crap is still out there. Time to make obsolete products, obsolete

 

[MauiPa]

This is more of a Trojan horse than a virus; albeit, most people don't know the difference.

Note: for extra security, your Admin user should not be your daily user. I always have my family members create a Me (Standard) and Me_Admin (Admin) users when they get a computer. Just makes an extra step to get access to root directories, install apps, etc.

and a windows admin told me this practice. applies to all (or a lot) systems

 

[MauiPa]

Exactly. I'm running Mojave and won't upgrade so why didn't Apple just include the patch in the Security Update for Mojave instead ?

Funny question. but just because the author didn't mention a fix to an older OS, doesn't mean it didn't get made, yah? You should check real sources, not just this article

 

[JosephAW]

This hack probably worked great with high sierra dot zero release.

 

[MauiPa]

Exactly. I'm running Mojave and won't upgrade so why didn't Apple just include the patch in the Security Update for Mojave instead ?

I did some work for you. Easy instead of getting upset for nothing. Here is the security patch title "About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra". I distinctly read Mojave in the text.

Here is the link: https://support.apple.com/en-us/HT210919. The last section "
SharedFileList
We would like to acknowledge Patrick Wardle of Jamf for their assistance.
Entry added April 4, 2020". Wardle is the guy who found it as mentioned in article

Your welcome
.

 

[MauiPa]

This hack probably worked great with high sierra dot zero release.

About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra

About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra - Apple Support

This document describes the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra.

support.apple.com

 

[lionel77]

The exploit required the targeted person to log in to their Mac on two separate occasions as logins trigger different steps in the exploit chain, which makes it less likely to happen

This part in the article seems wrong. The fact that the exploit requires two logins/restarts does not make it less likely to happen; it just means it might take some time until it becomes fully operational.

Wardle's original article is actually a pretty interesting read, if you have a few minutes. My favorite part is:

if the “Disable all macros without notification” setting is enabled, ironically, this macro code will be automatically executed anytime the document is opened!

 

[btrach144]

plenty, as in a heck of a lot less? Agreed.

This highlights one of the real flaws in Microsoft's obsession with backward compatibility. Did you notice the problem arises from being allowed to open a file format that no one even remembers anymore? some old doggy code buried in (the known to be a security risk for years) macros, that should have been excised when they actually fixed the security holes in the macro code years ago. Yet, the old unfixed file formats can still be opened? How much of this crap is still out there. Time to make obsolete products, obsolete

And on the flip, making things obsolete is what grinds people's gears about Apple.

Just because you don't use it, doesn't mean someone isn't.

 

[Apple_Robert]

I am glad the hack was patched. Stick with Apple apps whenever possible. And when you can’t, be careful what you open and never run as admin. I also make it a habit to never open anything from email. I also confirm with the sender before opening any. While there are no active viruses on the Mac, I take care not to get infected with malware of allow an outside actor access to my system.

 

[btrach144]

I am glad the hack was patched. Stick with Apple apps whenever possible. And when you can’t, be careful what you open and never run as admin. I also make it a habit to never open anything from email. I also confirm with the sender before opening any. While there are no active viruses on the Mac, I take care not to get infected with malware of allow an outside actor access to my system.

Correction, there are none that the public knows about. Keep in mind that there is a company who buys hacks to resell to governments and they stopped buying Apple hacks because they have so many already.

List of recent macOS security events: https://www.macworld.co.uk/feature/mac-software/mac-viruses-list-3668354/

 

[Mr. Awesome]

You know **** got real when they break out the slab serif font.

And check out those blood splatter icons.

And that hacker wearing a totally inconspicuous hat. And the snake eyes. That’s what real hackers look like, kids.

*Wait, what? They’re not blood icons? That’s way less exciting/terrifying.*

 

[Apple_Robert]

Correction, there are none that the public knows about. Keep in mind that there is a company who buys hacks to resell to governments and they stopped buying Apple hacks because they have so many already.

List of recent macOS security events: https://www.macworld.co.uk/feature/mac-software/mac-viruses-list-3668354/

In my mind, a hack and a virus are two different things. I was speaking of viruses.

 

[Dave-Z]

Yet another reason NOT to use M$ junk!!

And yet it was Apple who patched their operating system because macOS was allowing the malicious software to carry out actions outside of Office, actions that should not have been permitted.

 

[rjp1]

Great news after they announced the other day they wouldn't be patching Office 2016 any more ?

 

[insomniac86]

plenty, as in a heck of a lot less? Agreed.

This highlights one of the real flaws in Microsoft's obsession with backward compatibility. Did you notice the problem arises from being allowed to open a file format that no one even remembers anymore? some old doggy code buried in (the known to be a security risk for years) macros, that should have been excised when they actually fixed the security holes in the macro code years ago. Yet, the old unfixed file formats can still be opened? How much of this crap is still out there. Time to make obsolete products, obsolete

Thing is, when Apple F up, they do a Stella job.
Remember this?
A serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check.

Major macOS High Sierra Bug Allows Full Admin Access Without Password - How to Fix [Updated]

There appears to be a serious bug in macOS High Sierra that enables the root superuser on a Mac with a blank password and no security check. The...

www.macrumors.com

There was a few other major security issues in the last 3 or so years.
But that one above is probably the worst in years from any operating system.
(Excluding hardware bugs like Meltdown/Spectre, that were probably the biggest security bugs in years.)