Microsoft Office for Mac users are being warned that malicious SYLK files are sneaking past endpoint defenses even when the “disable all macros without notification” is turned on. This leaves systems vulnerable to a remote, unauthenticated attackers who can execute arbitrary code.
The warning comes from United States Computer Emergency Readiness Team (US-CERT), which said that symbolic link (SYLK) files can contain dangerous Excel macros.
“XLM macros can be incorporated into SYLK files,” wrote CERT on Friday. “Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users.”
Protected View (see image below) is a read-only mode where editing functions are disabled, which also renders malicious macros dead in the water. SYLK files aren’t subject to this, which leaves users “a single click away from arbitrary code-execution via a document that originated from the internet,” CERT wrote.
Ironically, only when a user plays it safe and configures their Office for Mac 2016 through 2019 to “disable all macros without notification” does the flaw exist. “If Office for the Mac has been configured to use the ‘disable all macros without notification’ feature, XLM macros in SYLK files are executed without prompting the user,” they said.
This bug has been confirmed in fully patched Office 2016 and Office 2019 for Mac systems. It is also been confirmed on Microsoft Office 2011 for Mac.
“By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has ‘disable all macros without notification’ enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel,” researchers wrote.
A file with the XLM file extension is an Excel 4.0 Macro file. Macros allow automation so that repetitive tasks can be “played” to save time and lower the likelihood of errors. SYLK, on the other hand, is an ancient file format dating back to the 1980s that is still supported by Microsoft Office. Using the two together, bad actors can put XLM macros into SYLK files.
“As it turns out, this [SYLK] file format is a very good candidate for creating weaponized documents that can be used by attackers to establish an initial foothold,” wrote researchers at Outflank in a report that posted Thursday.
Researchers note that attackers like to leverage SYLK files because it’s not just Office for Mac that can b vulnerable: “SYLK is not included in the MS Outlook blocked attachments list. SYLK is not included in the default [Outlook Web Access] OWA blocked extensions list. [And] SYLK is not marked as dangerous in Chrome’s safe browsing file type list.”
Outflank suggests the best way to mitigate abuse is to completely block SYLK files in MS Office. This can be done via the File Block settings in the MS Office Trust Center settings.
What are the top mistakes leading to data breaches at modern enterprises? Find out: Join an expert from SpyCloud and Threatpost senior editor Tara Seals on our upcoming free Threatpost webinar, “Trends in Fortune 1000 Breach Exposure.” Click here to register.
