Potential hackers can take over an Apple macOS run PC or Macbook with just an old Microsoft .SLK spreadsheet and a Zip file
We had earlier reported how the old Microsoft spreadsheet with .SLK extension could be used to bypass the Microsoft 365 security and implant malware. In fact, at that time security researchers from Avanan stated that nearly 200 million Microsoft 365 and Microsoft Windows 10 users could be at risk from such .SLK exploit attacks.
Now an ex-NSA researcher has found that the very same .SLK files can be used to seize control of Apple macOS powered PCs and Macbooks. In a report published on Objective See, Patrick Wardle has demonstrated how the old and discarded Microsoft’s .SLK file combined with a Zip file could be used by potential hackers to take over any macOS PC/laptop. Wardle says that even the fully patched macOS Catalina systems were at risk from the .SLK + Zip file macro attack.
What is .SLK file extension?
SLK or “Symbolic Link” file is an old Microsoft spreadsheet format file. It is an open-format alternative to Microsoft’ .xls or .xlsx file extension for Excel spreadsheets. Most hackers use the .SLK files for phishing attacks as these files look an Excel spreadsheet to the ordinary user.
Wardle says that hackers can exploit the way macOS run PC/laptops handle macros and bypass its sandbox procedures. The exploit uses a document that is saved in .SLK format to trick the target machine into allowing Office to activate macros without consent and without notifying the user. The exploit uses a dollar sign at the start of the filename to overcome the restrictive Office sandbox while compressing the file within a .zip folder. This can then bypass macOS controls that prevent downloaded items from accessing user files.
“In the world of Windows, macro-based Office attacks are well understood (and frankly are rather old news). However, on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community,” he wrote in a recent blog post. “Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system,” he adds.
In the PoC posted on Observer See, Wardle was able to make the exploit download a calculator App from online and trigger it without a single alert from macOS security architecture.
But he found that the exploit can be used to bypass all Apple macOS sandboxing protocols. Wardle’s exploit requires some user action to work. The exploit only works if the victim logs in and out of macOS PC/laptop twice, with a further step in the process fulfilled with each login.
Wardle says that though Apple acknowledged his research, they did not respond back to him. Microsoft has acknowledged Wardle’s exploit and patched the bug. Wardle says that Apple silently addressed the bug in macOS 10.15.3. When confronted, they reactively edited the 10.15.3 security bulletin, though no CVEs were assigned
“[The company has] determined that any application, even when sandboxed, is vulnerable to misuse of these APIs. We are in regular discussion with Apple to identify solutions to these issues and support as needed,” said a Microsoft spokesperson.
All the bugs pointed out by Wardle have been patched and macOS users who use Microsoft Office or Microsoft 365 should update their products with the latest security patch.