Our new @OutflankNL blog post on abusing the SYLK file format. This 1980s file type can host macros in modern versions of MS Office / Excel without hitting protected mode. Post includes recommendations for mitigation (note: active abuse in the wild).https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/ …
-
-
Replying to @StanHacked @OutflankNL
Note that if you have configured Macros to be disabled without prompting in Mac Office, there's a bug that causes Macros to be *ENABLED WITHOUT PROMPTING* I've confirmed this with fully-patched Office 2016 and 2019 on the Mac. Oh the irony to put security-conscious folks at risk.pic.twitter.com/AipCy8kiyn
4 replies 7 retweets 14 likes -
Two notes: 1) There's a typo in the video. It's "XLM" macros, not "XML". 2) The option to "Disable all macros without notification" seems to work OK with traditional macros. It's XLM macros that execute without prompting if this option is selected.
1 reply 0 retweets 0 likes -
Also note that the alert() was just a simple PoC. This allows for arbitrary code execution. Cue the traditional "pop calc" video...pic.twitter.com/CzDqfLTDLH
1 reply 1 retweet 2 likes -
When all you want to do is see what you can embed an XLM macro in... /me mumbles something about sniff testspic.twitter.com/FfyJ0TUAy3
1 reply 0 retweets 1 like -
Don't forget that Microsoft Office installs URI handlers. https://docs.microsoft.com/en-us/office/client-developer/office-uri-schemes … Viewing a web page can open a XLM-containing SYLK. Depending on your macOS version and Browser, the amount of prompting you receive may vary. For example, Firefox allows you to disable the warning.pic.twitter.com/FhNzqNuEhy
1 reply 0 retweets 3 likes
For example, if you're unfortunate enough to still be using macOS Sierra (10.12.x), Safari will launch Excel to open an arbitrary file with zero user interaction. This makes for a complete drive-by download situation.pic.twitter.com/7tzrZ9U101
-
-
The fix for this was released as CVE-2019-1457: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457 …
0 replies 0 retweets 1 likeThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.