Difficult-to-exploit bug no longer limited to Office 2011. Will Microsoft patch?

Security researchers have renewed their warnings over a zero-day vulnerability impacting Microsoft Excel which may allow for the automatic and silent execution of embedded macros on macOS, in some scenarios.

The bug, which involves the processing of XLM macros (a legacy format) in SYmbolic LinK (Sylk) files, was originally discovered by Pieter Ceelen of Outflank, who went public with his findings after a presentation at the DerbyCon conference last year.

The security shortcoming was first demonstrated in Office 2011 for Mac.

Although the security flaw was recently found to impact all recent versions of Microsoft Office for macOS – rather than simply the long obsolete Office 2011 – the practical impact of the bug is still low due to a combination of application sandboxing and recent security enhancements found in macOS Catalina.

However, where these obstacles to exploitation can be overcome, then “opening a maliciously crafted Excel spreadsheet may lead to the automatic and silent execution of embedded macros – even if ‘Disable all macros without notification’ has been set,” Mac security expert Patrick Wardle warns in a technical blog post.

“It’s not every day we get a new 0day that affects macOS (in this case, indirectly via a Microsoft application),” he added.

Silencing the vulnerability

Mac users can mitigate against this aspect of the flaw by ensuring their security settings in Microsoft Office are set to ‘Disable all macros with notification’.

Silent macro execution only happens when the ‘Disable all macros without notification’ setting has been set.

Last year, when the issue first arose, Microsoft decided that the flaw was not something that necessitated patching.

The “won’t patch” stance was not unreasonable given that the issue was thought to be limited to an obsolete version of Office for Mac.

However, this may change following the discovery that all recent versions of Microsoft Office on macOS are affected.

The Daily Swig asked Microsoft for comment on the bug, and whether or not it now saw the need for a patch, but we’re yet to hear back – so Redmond’s intentions remain unclear.

Even though exploitation of the vulnerability is difficult and perhaps unreliable, because of application sandboxing, it’s still a security flaw that cyber spies or other advanced attackers might find of some utility, from which perspective developing a software fix might seem to be prudent.


YOU MIGHT ALSO LIKE Site Isolation bypass discovered in Google Chrome’s Payment Handler API