Mac malware could take over your laptop with a single Microsoft Office file

MacBook Pro 16-Inch
(Image credit: Tom's Guide)

You don't normally think of Macs being vulnerable to Microsoft security flaws, but that's exactly what seems to have happened regarding a weakness in macOS 10.15 Catalina.

Patrick Wardle, famous (or notorious) for finding several serious vulnerabilities in Macs over the past decade, explained in a blog post on August 4 that a remote hacker could take total control of a Mac simply by getting the user to open a booby-trapped Microsoft Office file.

The hack requires the legitimate user to log into the system twice for it all to work, but as Wardle told Vice Motherboard, that doesn't make it any less effective.

"Humans are impatient," Wardle told Vice. "Exploits don't have to be." 

Wardle alerted both Apple and Microsoft in November 2019 to this attack method, which chains together exploits of both companies' software.

Microsoft fixed its flaws that month, and the Mac flaws were patched by Apple with the release of macOS 10.15.3 Catalina back in January 2020. (Wardle said he got no acknowledgement from Apple in the macOS Catalina 10.15.3 release notes until he "confronted" the company.)

Wardle plans to further demonstrate and detail his attack method in a virtual presentation at the Black Hat security conference on August 5.

Tom's Guide approached Apple for comment, and we were pointed to the macOS Catalina release notes linked to above.

Chain of tools

Wardle's hack chains together exploits of several vulnerabilities, the most important of which is a plain old Office macro, a simple script that automates tasks for the convenience of the user. 

"While such attacks are growing in popularity, current attacks are (still) rather lame!" Wardle wrote in his blog post. "However, with a bit of creativity we illustrated things could be far wors[e]!"

Macros are well known to be security risks for Windows, though less so for Macs. By default, Microsoft Office on either platform opens files downloaded from the internet in "safe mode" so that macros don't automatically run, and prompts users to authorize macros every time a document is opened. 

On Macs, Wardle pointed out, Office applications are "sandboxed" so that malware will have a hard time escaping to affect other applications. Furthermore, macOS 10.15 Catalina checks all software for "notarization" and quarantines anything suspicious.

Sneaking past the safeguards

But Wardle's chain of exploits slips by all those safeguards.

"We were easily able to automatically execute macros without user approval, escape the Microsoft Office sandbox [and] bypass Apple's new notarization requirement," he wrote. "End result? a malicious (unsigned) macOS backdoor persistently installed on the (fully patched) macOS system!"

Wardle started by using a Sylk file, or symbolic-link file, an ancient file format from the 1980s meant to port data from one Office application to another. 

Microsoft still supports Sylk, even though two researchers discovered last fall that you could use a Sylk file to force Office on Macs to run macros without user permission, and that those macros could then download and run malware.

Even then, anything done by the rogue Sylk macro, including the malware installation, would still be confined in the Office sandbox and not affect the rest of the Mac. 

The almighty dollar sign

To get over that hurdle Wardle used another known flaw: If you put a "$" character, a dollar sign, at the beginning of the name of a Microsoft Office file, you can save that file anywhere on Mac, even outside the Office sandbox. 

You could do this to install the macro malware on a Mac. But it would be temporary and not survive the next system reboot, because Microsoft makes sure that you can't use the "$" workaround to create files that launch upon system startup.

So far, these have been Microsoft flaws, not Apple ones. Then Wardle found that he could use the Office sandbox escape to create a macOS login item, which pops up a Terminal login prompt upon system startup, all outside the Office sandbox.

"The fact that one can create a login item from within the sandbox appears to be an issue in macOS (i.e. it's an Apple bug)," Wardle wrote.

Fooling macOS to do your dirty work

Still, MacOS 10.15 Catalina won't run random software without checking to make sure it's been "notarized" by Apple. So Wardle's malware would have to look like it was legitimate. 

He found that if the malicious Office macro created a compressed .zip file with a name that began with a "$" and designated it as a login item to run upon system startup, then macOS' own Archive Utility would automatically decompress the file the next time the user logged in.

Because macOS would be checking the credentials of Archive Utility, not the .zip file, this file decompression would pass the security smell test.

The uncompressed .zip file would then create another file set to run upon system startup, which could be malware. With the next login, the malware would run and the Mac could be completely owned by the attacker.

"With a[n] ability to create a launch agent (that will launch an interactive remote shell), it's game over," Wardle wrote.

As a proof-of-concept, Wardle said he was able to install a notorious "downloader" malware on a Mac using this exploit chain.

No bug bounty for you

Despite Apple's bug-bounty program, Wardle doesn't think he'll be seeing any money from Apple for finding these flaws and disclosing them to Cupertino. Apple has already declared that these flaws wouldn't qualify.

"I still have received zero dot zero dollars from Apple," Wardle told Vice News. "So, you know, maybe there's like a clause in there that's like 'no money for Patrick,' which is fine." 

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.