Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.
The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.
The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).
It’s unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.
Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.
First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.
More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.
The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.
Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.
Workaround
If you run Office for Mac 2011, the oversight will almost certainly never be fixed because, as already noted, this version is no longer supported and hasn’t been getting updates for more thwn two years already.
A workaround of sorts is to reset the default macro setting to disable macros with notification, which is achieved by opening Excel and clicking Preferences > Security & Privacy > Disable all macros with notification.
The downside of this is that it raises the chances of a standard malicious VBA macro from executing because there’s a chance the user will make the wrong decision.
As for newer versions of Office for Mac, according to CERT/CC, Microsoft fixed the executions oversight in Office 2016 and Office 2019, which means these versions should be safe in the new default disable macros with notification state.
However, according to the same researchers, that might not be the case if the later ‘fixed’ version (Office for Mac 2016, say) was installed over an older version, in which case the vulnerable mapping and default notification appears to be inherited.
We can’t confirm this but it’s worth bearing in mind if you upgraded from Office for Mac 2011 to a later version.
Windows and beyond
Although the problem is specific to one version of Office on the Mac, there’s no reason why malicious XML/SYLK files couldn’t in principle be used to target Windows versions too.
On Windows, you can use the Office Trust Center to block SYLK files on the basis that if the format is not being used it won’t be missed.
While you’re about it, you might as well block .SLK files at your network gateway, too, whether they’re delivered as email attachments or web downloads, especially if you have Mac users, who don’t have access to the Office Trust Center feature.
In recent times, forgotten, obscure or downright obsolete file formats have turned into a nuisance for email and office application users, with attackers mining them for their malicious potential.
Blocklists are a handy defence, with Microsoft recently putting another 38 old formats out to pasture to help reduce the attack surface.
But every time they add to the list, someone finds another one that might cause trouble. These formats have taken decades to build up – getting rid of them might take almost as long.