Free Republic
Browse · Search
General/Chat
Topics · Post Article

Skip to comments.

30-year-old file format behind MacOS hack
techxplore.com ^ | August 6, 2020 | by Peter Grad

Posted on 08/07/2020 7:06:01 AM PDT by Red Badger

A security expert revealed this week that an exploit commonly used against Windows users who own Microsoft Office can sneak into MacOS systems as well.

A former NSA security specialist who addressed the Black Hat security conference this week summarized his research into the new use for a very old exploit.

Patrick Wardle explained that the exploit capitalizes on the use of macros in Microsoft Office. Hackers have long used the approach to trick users into granting permission to activate the macros, which in turn surreptitiously launch malicious code.

But Wardle noted that attacks against Mac systems using such macros began occurring around 2017. In 2018, the internet security company Kaspersky uncovered evidence that North Korean hackers infected a cryptocurrency exchange in what was believed to be the first such assault on a MacOS system. Hackers residing under the world's most repressive regime may have earned up to $2 billion in cryptocurrency hacks, according to a report released why the United Nations last year.

The hacks rely on the use of two additional weak spots, one a nearly 30-year-old file format little used in recent years. While Microsoft Office generally prompts users before a macro is executed, the old SYLK Excel file format (.SLK) does not trigger a prompt. Thus, it can be used to bypass a line of security.

Wardle noted that Microsoft Office handles code for old files differently than code for newer ones.

When researchers alerted Apple to the .SLK vulnerability last year, Wardle said, Microsoft declined to issue a patch, asserting that malicious code would be contained within the secure Microsoft Office sandbox environment.

Wardle, who slyly proclaimed, "Working at the NSA corrupted my mind and filled it with evil ideas," set out to test those boundaries of the sandbox protection. In a matter of days, he found a vulnerability.

By beginning a filename with the "$" character, he learned, a file can break out of the sandbox and avoid detection.

"Security researchers love these ancient file formats because they were created at a time when no one was thinking about security," Wardle told Motherboard.

Microsoft has patched the SYLK vulnerability and says it is communicating with Apple on addressing other issues raised by the research of Wardle and others.

Wardle fears these hacks may be just the tip of the iceberg.

"I was surprised how easy it was," to devise these hacks, Wardle told Wired magazine. "I do have experience doing this, but it would be arrogant for me to think that well-resourced hacker groups aren't looking at this and don't have similar talents, if not more so. It's a very broad attack vector. Sufficiently resourced and clever hackers will find ways to gain access and persist on Mac systems."

Dutch researcher Stan Hegt, who uncovered the SYLK macro vulnerability, praised Wardle's research but also cautioned there likely are more problems to come.

"The fact that he's now built a full exploit chain definitely proves a point," said Hegt. "I'm pretty sure if you dig deep in Office, especially on Macs, there's more" troublesome issues to uncover.


TOPICS: Business/Economy; Computers/Internet; History; Society
KEYWORDS: apple; blackhat; computer; excel; mac; macintosh; macos; microsoft; office; sylk; windows
Navigation: use the links below to view more comments.
first 1-2021-34 next last

1 posted on 08/07/2020 7:06:01 AM PDT by Red Badger
[ Post Reply | Private Reply | View Replies]

To: Swordmaker; ShadowAce

MacWindows Ping!...................


2 posted on 08/07/2020 7:06:34 AM PDT by Red Badger (To a liberal, 9-11 was 'illegal fireworks activity'...........................)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

Time to try Navy DIF, Wordstar and Multiplan!


3 posted on 08/07/2020 7:18:25 AM PDT by Dr. Sivana (There is no salvation in politics)
[ Post Reply | Private Reply | To 2 | View Replies]

I’ve been a big Excel user for at least 30 years. I don’t think that I ever used SYLK files.


4 posted on 08/07/2020 7:19:16 AM PDT by Rio
[ Post Reply | Private Reply | To 1 | View Replies]

To: Dr. Sivana

I was a Wordstar expert!...................


5 posted on 08/07/2020 7:22:30 AM PDT by Red Badger (To a liberal, 9-11 was 'illegal fireworks activity'...........................)
[ Post Reply | Private Reply | To 3 | View Replies]

To: Red Badger

“Wordstar”

Wordstar and DB Master. We thought they were enough to rule the world.


6 posted on 08/07/2020 7:31:55 AM PDT by gibsonguy
[ Post Reply | Private Reply | To 5 | View Replies]

To: Rio

I went through a phase where I had to use SLYK files to overcome some technical obstacle (I can’t remember now, I recall it my have been the only way I could export out of one system and have it open properly in another, but it was a while back.)


7 posted on 08/07/2020 7:34:08 AM PDT by rlmorel ("Truth is Treason in the Empire of Lies"- George Orwell)
[ Post Reply | Private Reply | To 4 | View Replies]

To: gibsonguy

I was pretty good with DB as well!..............


8 posted on 08/07/2020 7:38:58 AM PDT by Red Badger (To a liberal, 9-11 was 'illegal fireworks activity'...........................)
[ Post Reply | Private Reply | To 6 | View Replies]

To: Red Badger; gibsonguy

William F. Buckley used Wordstar to the bitter end. I remain a WordPerfect guy myself, with a soft spot for Nota Bene and MacWrite Pro.


9 posted on 08/07/2020 7:43:51 AM PDT by Dr. Sivana (There is no salvation in politics)
[ Post Reply | Private Reply | To 5 | View Replies]

To: Dr. Sivana

I loved Wordstar. I knew every command keyboard control by heart..........30 years ago.........


10 posted on 08/07/2020 7:48:05 AM PDT by Red Badger (To a liberal, 9-11 was 'illegal fireworks activity'...........................)
[ Post Reply | Private Reply | To 9 | View Replies]

To: Dr. Sivana

Then there is the unsung hero, File Maker Pro.


11 posted on 08/07/2020 8:01:58 AM PDT by gibsonguy
[ Post Reply | Private Reply | To 9 | View Replies]

To: gibsonguy
Then there is the unsung hero, File Maker Pro.

That is the main thing keeping me in Windows. Although the new version (19) is moving to "Cloud First" and a subscription model which I detest, so I will be staying with my perpetual license 18 for a while.

Now, if I could only come up with a way for it to do double/triple dimension ranking on the fly efficiently.
12 posted on 08/07/2020 8:08:26 AM PDT by Dr. Sivana (There is no salvation in politics)
[ Post Reply | Private Reply | To 11 | View Replies]

To: Rio
I’ve been a big Excel user for at least 30 years. I don’t think that I ever used SYLK files.

SYLK started as a export file format from Multiplan, the text precursor to Excel. It's more than 30 years old; more like 38 years.

I don't understand how the exploit works. SYLK content is just raw text and doesn't contain macros.

13 posted on 08/07/2020 8:15:23 AM PDT by Spirochete (GOP: Gutless Old Party)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Spirochete
I don't understand how the exploit works. SYLK content is just raw text and doesn't contain macros.

I see now. It supports commands for executing code, like EXEC() and HALT().

https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/

Wikipedia

14 posted on 08/07/2020 8:31:54 AM PDT by Spirochete (GOP: Gutless Old Party)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Red Badger; ~Kim4VRWC's~; 1234; 5thGenTexan; AbolishCSEU; Abundy; Action-America; acoulterfan; ...
Extremely VERY OBSCURE Microsoft Excel file type vulnerability in older Macs can have an exploit which could possibly be used by malicious actors to do something nasty. Oh My. . . What a scary thought. NOT! VERY RARE file type. . . And easily avoided by just renaming the file that HAS to start with a “$” to be dangerous. If you need that file (why?) just delete the “$” and go about your business. —PING!


APPLE + MICROSOFT EXCEL SECURITY PROBLEM? NO!
PING!

If you want on or off the Apple/Mac/iOS Ping List, Freepmail me.

15 posted on 08/07/2020 9:08:21 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot1)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

Thanks for the heads up.


16 posted on 08/07/2020 9:10:57 AM PDT by Swordmaker (My pistol self-identifies as an iPad, so you must accept it in gun-free zones, you hoplophobe bigot1)
[ Post Reply | Private Reply | To 2 | View Replies]

To: Swordmaker
Do they just write these articles by cutting and pasting, now, or do they use an AI with a database of scary catchphrases?

A security expert revealed this week that an exploit commonly used against Windows users

...former NSA security specialist who addressed the Black Hat security conference this week...

...Wardle fears these hacks may be just the tip of the iceberg.

...but also cautioned there likely are more problems to come.

These things are more predictable than the plot to a road runner cartoon. I note they haven't found anyone who's actually been hacked. The ONLY catchphrase I didn't find was "This is an important proof of concept."

17 posted on 08/07/2020 9:25:45 AM PDT by Richard Kimball (WWG1WGA)
[ Post Reply | Private Reply | To 15 | View Replies]

To: Dr. Sivana

Visicalc!


18 posted on 08/07/2020 9:35:00 AM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 3 | View Replies]

To: rlmorel

I had to use a SYLK file a week ago for some obscure reason. Hadn’t seen those in 20 years.


19 posted on 08/07/2020 9:36:02 AM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 7 | View Replies]

To: Richard Kimball

“road runner cartoon plots are predictable”?

What? Seriously? That’s blasphemy!


20 posted on 08/07/2020 9:36:52 AM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 17 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-34 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson