Security News > 2020 > August > Black Hat 2020: ‘Zero-Click’ MacOS Exploit Chain Uses Microsoft Office Macros
A new "Zero-click" MacOS exploit chain could allow attackers to deliver malware to MacOS users using a Microsoft Office document with macros.
The exploit chain, revealed by Patrick Wardle, principal security researcher with Jamf, at Black Hat USA 2020, runs macros without an alert or prompt from the Microsoft Office application that prompts explicit user approval - meaning that when a user opens the document, the macro is automatically executed.
Apple patched the flaws with the release of MacOS 10.15.3, but told Wardle "This issue does not qualify for a CVE." Microsoft meanwhile told Wardle that the exploit chain was an issue "On the Apple side."
Microsoft also debuted a feature that sandboxed more recent versions of Microsoft Office applications that are running on modern versions of macOS - so even if macros are inadvertently allowed to run, they will find themselves running in a highly restrictive sandbox.
What this exploit chain means for an end user is that if they receive a Microsoft Office document and attempt to open it, the executable will automatically run: "Triggered by simply opening a malicious Office document, no alerts, prompts nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system," Wardle said.
News URL
https://threatpost.com/black-hat-zero-click-macos-exploit-chain-microsoft-office-macros/158112/
Related news
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- Microsoft investigates OneDrive issue causing macOS app freezes (source)
- Microsoft 365 outage takes down Office web apps, admin center (source)
- Researchers Uncover Symlink Exploit Allowing TCC Bypass in iOS and macOS (source)
- Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware (source)