During the annual Black Hat security conference, which is being held online this year due to the COVID-19 pandemic, security researcher and former NSA hacker Patrick Wardle will demonstrate how he was able to create a chain of exploits that can take control of a Mac by simply convincing the target to open a Microsoft Office file.
Wardle found out that he could create an Office file with an ancient file format (.slk), that would prompt Office to automatically run macros on MacOS without alerting the user. He then took advantage of a flaw discovered by another researcher, which allows a hacker to escape the Microsoft Office sandbox by creating a file that starts with the “$” sign.
“Current MacOS attacks are very ineffective, kind of lame,” Wardle told Motherboard in a phone call. “I basically said, could things be worse?”
“Security researchers love these ancient file formats because they were created at a time when no one was thinking about security,” Wardle added.
Finally, the last piece of the puzzle was to realize that if that file was a .zip file, MacOS wouldn’t check it against its new notarization protections, which technically won’t allow files downloaded from the internet to access user files unless they come from known developers.
It’s worth noting, and Wardle admitted it too, that for this exploit to work, the victim has to login into their Mac computer on two separate occasions, as every login triggers a different step in the chain.
The flaws Wardle took advantage of are now fixed for the latest version of Office on Mac, and for MacOS 10.15.3. Wardle said that, however, Apple was unresponsive when he reported the flaws
