search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Office for Mac cannot properly disable XLM macros

Vulnerability Note VU#125336

Original Release Date: 2019-11-01 | Last Revised: 2019-11-15

Overview

The Microsoft Office for Mac option "Disable all macros without notification" enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

XLM macros

Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros.

SYLK and XLM macros

XLM macros can be incorporated into SYLK files, as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet.

SYLK and XLM macros with Microsoft Office for Mac

It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post, Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files.

The Problem

If Office for the Mac has been configured to use the "Disable all macros without notification" feature, XLM macros in SYLK files are executed without prompting the user.

Impact

By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has "Disable all macros without notification" enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel.

Solution

Apply an update

This issue is addressed for Office 2016 for Mac build 16.16.16 (19111100) and Office 2019 for Mac build 16.31 (19111002), as described in the Microsoft Security update for CVE-2019-1457.

Block SYLK files at email and web gateways

SYLK files, which have the file extension SLK, should be blocked at email and web gateways to help prevent exploitation of this vulnerability.

Vendor Information

125336
 

Microsoft Affected

Notified:  October 31, 2019 Updated: November 12, 2019

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal 5.8 E:POC/RL:W/RC:C
Environmental 4.4 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

This issue was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2019-1457
Date Public: 2019-10-31
Date First Published: 2019-11-01
Date Last Updated: 2019-11-15 12:51 UTC
Document Revision: 38

Sponsored by CISA.