Mac users warned that disabling all Office macros doesn’t actually disable all Office macros

excelGraham Cluley warned: "It’s been almost 25 years since macro malware first reared its head, and it would be nice to think that the defences Microsoft has built into its Office suite in the years since would do a half-decent job of stemming the threat.

Unfortunately, it seems that’s not the case – at least not for users of the Mac version of Microsoft Office.

As The Register reports, the CERT Coordination Center at Carnegie Melon University has warned that one of the countermeasures built into Office for Mac against malicious macros is defective.

Astonishingly, consumers and companies who believe they have protected their computers by configuring MS Office to “Disable all macros without notification” are actually opening themselves up to the possibility of being silently infected.

The problem, first uncovered by Netherlands-based security outfit Outflank and reported to Microsoft a year ago, is related to Microsoft Excel’s support for a legacy type of macros known as XLM or Excel 4.0 macros. Microsoft has previously encouraged users of XLM macros to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA), but still supports the XLM format.

And that’s a problem – because Office 2011 for Mac does not properly warn users of the presence of XLM macros within SYLK files.

That would be bad enough, but when the “Disable all macros without notification” feature is enabled, the XLM macros are actually automatically executed without any warning or prompts being shown to the user.

Without enabling any macros, Outflank were able to trick Excel into running macro code:

“I did not yet enable macros but already some part of the macro got interpreted? Further looking into it, I noticed that the Sylk was opened with Excel 2011, instead of Excel 2016 which I also had installed.”

(Fully patched versions of Office 2016 and Office 2019 for Mac reportedly do correctly report the presence of XLM macros inside SYLK files.)

At the time of writing there is no officially released patch from Microsoft for vulnerable versions of Office for Mac, but you may choose to switch from “Disable all macros without notification” to the normally less secure “Disable all macros with notification”.

CERT additionally recommends considering blocking Sylk (.SLK) file attachments at your email gateway, although as Outflank claims that the threat still works if a boobytrapped .SLK file is renamed to be a usually-considered harmless .CSV (comma-separated values) file that may not be enough. Of course, none of this explains why Microsoft’s own quality control team didn’t spot this issue in the first place…"

This was cross-posted from Graham Cluley's blog with grateful acknowledgement, and a recommendation to subscribe to his newsletter.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Has Gone Nuclear Webinar

Get the latest about social engineering

Subscribe to CyberheistNews