News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Ex-NSA hacker took control of MacOS via Office document

    Posted on Alex5723 Comment on the AskWoody Lounge

    Home Forums AskWoody support Non-Windows operating systems macOS Ex-NSA hacker took control of MacOS via Office document

    Viewing 8 reply threads
    • Author
      Posts
      • #2286692 Reply
        Alex5723
        AskWoody Plus

        A security researcher who specializes in MacOS found a way to hack users who would double click on a Microsoft Office file, with no need for any other interaction

        A On Wednesday, former NSA hacker Patrick Wardle will demonstrate how he was able to create a chain of exploits that would have allowed hackers to take control of a Mac by simply convincing the target to open a Microsoft Office file laden with a malicious macro. Creating Office files with malicious macros is an old trick that’s been enjoying a second life lately for hackers interested in Windows targets. Wardle is now showing how macros—essentially small programs embedded in documents—could be exploited on MacOS as well. …

        A Microsoft spokesperson said that the company has “investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs,” the company wrote in an emailed statement. “We are in regular discussion with Apple to identify solutions to these issues and support as needed.”

        The flaws Wardle took advantage of are now fixed for the latest version of Office on Mac, and for MacOS 10.15.3.

        https://www.vice.com/en_us/article/jgxamy/hacker-finds-a-way-to-hack-mac-users-via-microsoft-office

        4 users thanked author for this post.
      • #2286706 Reply
        doriel
        AskWoody Lounger

        Reminds me of Kevin Mitnick.

        Back to the topic:

        Wardle’s hack was possible thanks to a series of happenstances and bugs he found and linked together.

        Specifically, we detailed the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements

        It should be enough to break just one segment of the chain.
        Source HERE

        His presentation slides from Black Hat conference, im not being racist, thats its name to be clear.
        Link

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 1809 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        • This reply was modified 1 month, 2 weeks ago by doriel.
        • This reply was modified 1 month, 2 weeks ago by doriel. Reason: link for presentation
        3 users thanked author for this post.
      • #2286773 Reply
        OscarCP
        AskWoody Plus

        I am running macOS 10.14.6, Mojave’s latest incremental release and Office for Macs 2016, so I am hoping that there will be also a fix for these two items, particularly for Office for Macs 2016, that is going to get its last patches next month and, maybe, I’m not clear at the moment if this will happen, in the second Tuesday of October, the 12th (Columbus Day), just before EOL on the 13th… And I’m not making plans to “upgrade” to 2019, where this particular bug, at least according to the article, has been fixed.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        1 user thanked author for this post.
      • #2286791 Reply
        OscarCP
        AskWoody Plus

        I have been looking around the Web, unsuccessfully, for confirmation that the items that launch at login are defined in files that end in “$something” (“something” is just a place holder I am using here: the actual name of the malicious startup item is not going to be that, of course) at least as far back as my present version of macOS, Mojave. The current script bug creates a fake login item in the form of such a file, so the malware is launched the next time the user logs in. Anybody here knows the answer to this query?

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

        1 user thanked author for this post.
      • #2287295 Reply
        Nathan Parker
        AskWoody_MVP

        It may be adding something to LaunchAgents (in the user Library) or LaunchAgents, LaunchDaemons, or StartupItems (in the main Library). I believe Webroot or some of the Objective See apps can alert users if changes to one of these folders occur. I can research it further.

        Nathan Parker

        1 user thanked author for this post.
      • #2287301 Reply
        Nathan Parker
        AskWoody_MVP
        • #2287308 Reply
          OscarCP
          AskWoody Plus

          Nathan. This has been fixed in Office 2019, but it is not mentioned if it has been fixed in Office 2016 as well (with a recent patch). However, if the use of “$” files is not a feature of Mojave, Office 2016 would be immune if one is running it on Mojave… So, is it immune?

          Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

          • #2287332 Reply
            Alex5723
            AskWoody Plus

            Microsoft’s statement :

            A Microsoft spokesperson said that the company has “investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs,”

            1 user thanked author for this post.
      • #2287485 Reply
        Nathan Parker
        AskWoody_MVP

        I’m still trying to understand what Oscar is referring to by “$” files?

        Nathan Parker

      • #2287490 Reply
        OscarCP
        AskWoody Plus

        Nathan

        Here, for example:

        https://www.vice.com/en_us/article/jgxamy/hacker-finds-a-way-to-hack-mac-users-via-microsoft-office

        Among other things it says this:

        Then, he took advantage of a flaw discovered by another researcher, which allows a hacker to escape the Microsoft Office sandbox by creating a file that starts with the “$” sign. Finally, the last piece of the puzzle was to realize that if that file was a .zip file, MacOS wouldn’t check it against its new notarization protections, which technically won’t allow files downloaded from the internet to access user files unless they come from known developers.

        Or here:

        https://objective-see.com/blog/blog_0x4B.html

        In mid-2018, the noted security researcher Adam Chester discovered a neat sandbox escape that abused a sandbox exception in Office app’s sandbox profile. In short, we noticed that said profile, contained an exception (com.apple.security.temporary-exception) via a regex that “allows us to create a file anywhere on the filesystem as long as it ends with ~$something.

        Windows 7 Professional, SP1, x64 Group W (ex B) & macOS + Linux (Mint)

      • #2287511 Reply
        Nathan Parker
        AskWoody_MVP

        Got it. Did some research on this, and here’s what I know so far:

        1. I have not been able to confirm whether this affects Mojave/Office 2016.
        2. The attack does rely on LaunchAgents I mentioned above. If you have BlockBlock from Objective See installed or enable “Monitor Services Running on the System” under “Realtime Shield” in Webroot, either app will prompt you when any changes to this folder takes place, thereby mitigating the impact.

        Nathan Parker

        1 user thanked author for this post.
    Viewing 8 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Ex-NSA hacker took control of MacOS via Office document

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.