Sign Up
All SecurityCyber-crimePatchesResearchCSO
All Off-PremEdge + IoTChannelPaaS + IaaSSaaS
All On-PremSystemsStorageNetworksHPCPersonal TechCxOPublic Sector
All SoftwareAI + MLApplicationsDatabasesDevOpsOSesVirtualization
All OffbeatDebatesColumnistsScienceGeek's GuideBOFHLegalBootnotesSite NewsAbout Us

Software

OSes

PSA: Turning off silent macros in Office for Mac leaves users wide open to silent macro attacks

Microsoft seems a bit hazy on what 'disable' actually means

Shaun Nichols in San Francisco Tue 5 Nov 2019  //  06:08 UTC

A security hole in Office for Mac can be exploited by miscreants to potentially run malicious code on victims' shiny computers without anyone noticing.

The CERT Coordination Center at Carnegie Melon University, on the US East Coast, warns the bug arises when folks activate the "disable all macros without notification" option in Office for Mac. This itself is a good security move, in that it's supposed to block code embedded in documents from running without first asking the user for approval.

However, with this setting switched on, one type of macro, XLM, remains enabled, and will run without any notification when a document is opened, CERT has warned.

"If Office for the Mac has been configured to use the 'Disable all macros without notification' feature, XLM macros in SYLK files are executed without prompting the user," CERT explains. "We have confirmed this behavior with fully-patched Office 2016 and Office 2019 for Mac systems."

As you might imagine, having XLM macros running without any kind of prompt is a serious risk. The macro language is powerful enough to launch files and execute commands, meaning an attacker will effectively have remote code execution on the target system with the current user's security clearance.

"Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users," says CERT CC. "This means that users may be a single click away from arbitrary code execution via a document that originated from the internet."

Fix LibreOffice now to thwart silent macro viruses – and here's how to pwn those who haven't

READ MORE

In practice, an attacker could exploit the bug by embedding malicious XLM code into an SYLK file and then, via spear-phishing or other social engineering methods, convince a mark to open the poisoned file in Office for Mac.

When Microsoft was asked for comment, its spinners provided the following heavily encrypted response: "Microsoft has a customer commitment to investigate reported security issues and we will provide updates for impacted devices as soon as possible."

Make of that what you will. It sounds as though it will be patched soon, maybe?

While there is no fix available right now for the security shortcoming, users can opt to "disable all macros with notification." As CERT CC put it earlier this month:

Although "Disable all macros with notification" is less secure than "Disable all macros without notification" for modern VBA macros, the latter setting can allow for arbitrary code execution without any prompting when an XLM macro is used in a SYLK file. Until this issue is addressed, using the "Disable all macros with notification" is a more secure setting on Mac systems.

Alternatively, administrators can protect end-users by setting their email and web gateways to filter out SYLK (extension .slk) files. Perhaps that option is best. ®
Send us news
33 Comments

October 2025 will be a support massacre for a bunch of Microsoft products

Not just Windows 10. Don't forget about Exchange Server, Skype for Business, and all those Office installations

Academics probe Apple's privacy settings and get lost and confused

Just disabling Siri requires visits to five submenus

Apple to allow some iPhones to be repaired with used parts

'A strategy of half-promises and unnecessarily complicated hedges'

Apple's failure to duck UK antitrust probe could bring £785M windfall for devs

That 30% app tax may turn out to be a hefty liability

Researchers claim Windows Defender can be fooled into deleting databases

Two rounds of reports and patches may not have completely closed this hole

Official: EU users can swerve App Store and download iOS apps from the web

Anticompetitive remedies? We've heard of them

iPhone sales dive 19.1% in China as Huawei comeback hits Apple in the high end

From first place to third as local brands grow

Microsoft is a national security threat, says ex-White House cyber policy director

With little competition at the goverment level, Windows giant has no incentive to make its systems safer

Open source versus Microsoft: The new rebellion begins

Neither side can afford to lose, but one surely must

Elon Musk's X to challenge Australian content takedown orders in court

PLUS: Samsung in 'emergency mode'; Tim Cook's Asian charm tour; APAC AI spend to surge

Japan turns up heat on Apple, Google with threat of hefty fines

Antitrust proposals could stretch to 30% of annual revenues for law-breaking app store monopolies

Microsoft breach allowed Russian spies to steal emails from US government

Affected federal agencies must comb through mails, reset API keys and passwords