However, Wardle’s exploit chain bypassed all of these security protections. Due to these current protections, previous macros-based exploits have had little success.
#DIABLING MACROS EXCEL FOR MAC SOFTWARE#
Notarizing is an automated system that scans software for malicious content and checks for code-signing issues. Microsoft also debuted a feature that sandboxed more recent versions of Microsoft Office applications that are running on modern versions of macOS – so even if (malicious) macros are inadvertently allowed to run, they will find themselves running in a highly restrictive sandbox.įrom Apple’s end, the company has created notarization checks to prevent potentially malicious code – downloaded from the internet – from executing on MacOS systems. The tech giant has disabled them in Microsoft Office by default, so a user gets an alert if they are enabling macros. Microsoft has attempted to block macros-based attacks. However, macros are also commonly abused by cybercriminals, who use them for delivering a malicious payload to the endpoint because they can be allowed with a simple, single mouse-click on the part of the user when prompted. Apple patched the flaws with the release of MacOS 10.15.3, but told Wardle “this issue does not qualify for a CVE.” Microsoft meanwhile told Wardle that the exploit chain was an issue “on the Apple side.” Current Macro-Based AttacksĪ macro is a snippet of executable code that can be added to Microsoft Office documents, generally used to accomplish a task automatically. Wardle notified both Microsoft and Apple about his findings.
#DIABLING MACROS EXCEL FOR MAC FULL#
“I found a sandbox escape and a bypass of Apple’s new notarization requirements, and combined that with another zero day (from another researcher) to make a full ‘zero-click’ exploit chain.”
“As the current attacks are lame… I wanted to make them ‘better’ to raise awareness about this attack vector, and also highlight how it could easily be worse,” Wardle told Threatpost. The exploit chain, revealed by Patrick Wardle, principal security researcher with Jamf, at Black Hat USA 2020, runs macros without an alert or prompt from the Microsoft Office application that prompts explicit user approval – meaning that when a user opens the document, the macro is automatically executed.
The attack bypasses security measures that both Microsoft and Apple have put in place to protect MacOS users from malicious macros. A new “zero-click” MacOS exploit chain could allow attackers to deliver malware to MacOS users using a Microsoft Office document with macros.
0 kommentar(er)
