It’s been almost 25 years since macro malware first reared its head, and it would be nice to think that the defences Microsoft has built into its Office suite in the years since would do a half-decent job of stemming the threat.
Unfortunately, it seems that’s not the case – at least not for users of the Mac version of Microsoft Office.
Astonishingly, consumers and companies who believe they have protected their computers by configuring MS Office to “Disable all macros without notification” are actually opening themselves up the possibility of being silently infected.
The problem, first uncovered by Netherlands-based security outfit Outflank and reported to Microsoft a year ago, is related to Microsoft Excel’s support for a legacy type of macros known as XLM or Excel 4.0 macros. Microsoft has previously encouraged users of XLM macros to migrate them to the latest version of Microsoft Visual Basic for Applications (VBA), but still supports the XLM format.
And that’s a problem – because Office 2011 for Mac does not properly warn users of the presence of XLM macros within SYLK files.
That would be bad enough, but when the “Disable all macros without notification” feature is enabled, the XLM macros are actually automatically executed without any warning or prompts being shown to the user.
Without enabling any macros, Outflank were able to trick Excel into running macro code:
“I did not yet enable macros but already some part of the macro got interpreted? Further looking into it, I noticed that the Sylk was opened with Excel 2011, instead of Excel 2016 which I also had installed.”
(Fully patched versions of Office 2016 and Office 2019 for Mac reportedly do correctly report the presence of XLM macros inside SYLK files.)
At the time of writing there is no officially released patch from Microsoft for vulnerable versions of Office for Mac, but you may choose to switch from “Disable all macros without notification” to the normally less secure “Disable all macros with notification”.
CERT additionally recommends considering blocking Sylk (.SLK) file attachments at your email gateway, although as Outflank claims that the threat still works if a boobytrapped .SLK file is renamed to be a usually-considered harmless .CSV (comma-separated values) file that may not be enough.
Of course, none of this explains why Microsoft’s own quality control team didn’t spot this issue in the first place…