Former NSA hacker Patrick Wardle has discovered a serious security vulnerability in macOS. As reported by Motherboard, he managed to get one– – File that contains a macro to take complete control of Apple’s desktop operating system. A victim only has to open the specially prepared file with a double click – there is no further interaction with the user.
According to Wardle, it was able to circumvent all security measures introduced by Microsoft. Starting from a vulnerability in macOS, the security researcher developed an exploit chain that even levered Apple’s security framework to inject code and even execute it outside of the sandbox on a fully patched macOS Catalina.
To run a macro on macOS, an Office document must be opened with a Microsoft application. This application advises the user that a macro should be activated, which must be explicitly confirmed. MacOS also runs the office applications in a sandbox. Beyond that limitedthe execution of applications on apps signed by Apple. Wardle was able to bypass all of these precautions.
He used an outdated file format for his attack, but Office continues to support it for reasons of backward compatibility. However, files in SLK format are exempt from the macro warning – Office executes the macros it contains without asking.
In addition, Wardle used a bug that another researcher had discovered to leave the office sandbox. The sandbox finally leaves Wardle with a ZIP file, which macOS then processes without further prompting the user.
However, this chain of exploits is not carried out in one step. Each stage of the chain requires the victim to log in to their Mac again, so a total of two new registrations are required to take full control.
Apple and Microsoft were informed about the security problem months ago. According to Wardle, there are now patches for Office for Mac and macOS 10.15. However, the researcher criticized Apple’s lack of interest in his work.