Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.
The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.
The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).
It’s unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.
Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.
First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.
More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.
The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.
Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.
Workaround
If you run Office for Mac 2011, the oversight will almost certainly never be fixed because, as already noted, this version is no longer supported and hasn’t been getting updates for more thwn two years already.
A workaround of sorts is to reset the default macro setting to disable macros with notification, which is achieved by opening Excel and clicking Preferences > Security & Privacy > Disable all macros with notification.
The downside of this is that it raises the chances of a standard malicious VBA macro from executing because there’s a chance the user will make the wrong decision.
As for newer versions of Office for Mac, according to CERT/CC, Microsoft fixed the executions oversight in Office 2016 and Office 2019, which means these versions should be safe in the new default disable macros with notification state.
However, according to the same researchers, that might not be the case if the later ‘fixed’ version (Office for Mac 2016, say) was installed over an older version, in which case the vulnerable mapping and default notification appears to be inherited.
We can’t confirm this but it’s worth bearing in mind if you upgraded from Office for Mac 2011 to a later version.
Windows and beyond
Although the problem is specific to one version of Office on the Mac, there’s no reason why malicious XML/SYLK files couldn’t in principle be used to target Windows versions too.
On Windows, you can use the Office Trust Center to block SYLK files on the basis that if the format is not being used it won’t be missed.
While you’re about it, you might as well block .SLK files at your network gateway, too, whether they’re delivered as email attachments or web downloads, especially if you have Mac users, who don’t have access to the Office Trust Center feature.
In recent times, forgotten, obscure or downright obsolete file formats have turned into a nuisance for email and office application users, with attackers mining them for their malicious potential.
Blocklists are a handy defence, with Microsoft recently putting another 38 old formats out to pasture to help reduce the attack surface.
But every time they add to the list, someone finds another one that might cause trouble. These formats have taken decades to build up – getting rid of them might take almost as long.
Kevin Holley
I read the article and it seems the Office 2016 over Office 2011 vulnerability that you mention is because Office 2011 stays around and is linked to those file types. So the solution is to be sure to uninstall Office 2011 if you have the newer version?
Paul Ducklin
I think it’s not so much that Office 2011 remains behind (so I don’t think it can be uninstalled as such after the upgrade is finished) but that some components or configuration files are carried over when you upgrade in a way that doesn’t happen if you install 2016 fresh from scratch.
Kevin Holley
Just wondered where you are reading that? The article you linked clearly said that the Office 2011 version of Excel opens in error when you open one of the problem files doesn’t it?
Paul Ducklin
Yes, I see what you mean – sounds as though the researcher had both versions installed separately (i.e. could run either or both at the same time) rather than 2011 upgraded to 2016.
In that case, it does indeed sound as though uninstalling 2011 altogether would sidestep the issue.
I also wonder if changing the default app for opening SLK files in macOS (for example by forcing them to open with Textedit) would mitigate the risk?
Can’t test it myself as I have never installed Office on my Mac (Keynote + Numbers + Pages for me).
David
This sounds a lot like a problem which Microsoft fixed 20 years ago (SYLK format was a bit old even then).
https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-044
Paul Ducklin
Old bugs never die, they just rest for a bit :;-)
Hat tip for an article that references a CVE from last century – CVE-1999-0794.