Thus, macros embedded in a document won’t execute if opened for example, in Apple’s Page.app.Īlso, (unless an exploit is leveraged) the Microsoft Office application will sternly warn the user about embedded macros when opening a macro-ladened document …and requires the user to explicitly click the ‘Enable Macros’ button before they are allowed to execute.įinally, recent versions of Microsoft Office applications, running on modern versions of macOS will be sandboxed. First, macros are a “Microsoft” technology, and as such, (generally) only work in Microsoft applications. Now, it is important to note a few things.
#Do macros work on office for mac code
To conclude, we’ll explore Apple’s new Endpoint Security Framework illustrating how it can be leveraged to thwart each stage of our exploit chain, as well as generically detect advanced “document-delivered” payloads and even persistent nation-state malware!īefore we dive into our document-based exploit chain, let’s briefly talk about macros.įirst, what is a macro? In short, it’s a snippet of executable code that can be added Microsoft Office documents (generally for the purpose of automating repetitive tasks):Īs shown in the image above, we’ve created a simple “Hello World!” macro that may be automatically executed whenever the document is opened, as it is placed within the AutoOpen subroutine. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!
#Do macros work on office for mac full
However, things could be far worse! Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Though sophisticated APT groups are behind several of these attacks, these malicious documents and their payloads remain severely constrained by recent application and OS-level security mechanisms.
In this talk, we will begin by analyzing recent macro-laden documents targeting Apple’s desktop OS, highlighting the macOS-specific exploit code and payloads.
However on macOS though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community. In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). In this blog post complements my recent BlackHat/DefCon talk, " Office Drama on macOS".
0 kommentar(er)
