We don't usually think of Macs as vulnerable to Microsoft security flaws, but that seems to be exactly what has happened with regard to the macOS 1015 Catalina vulnerability
Patrick Wardle, who has famously (or infamously) discovered a number of serious Mac vulnerabilities over the past decade, wrote in an August 4 blog post that remote hackers can simply force users to open booby-trapped Microsoft Office files
He explained that he could take complete control of the Mac
The hack requires a legitimate user to log in to the system twice in order to succeed, but that does not make it ineffective, as Wardle told Vice Motherboard [People are impatient Exploits don't have to be"
Wardle warned both Apple and Microsoft in November 2019 of this attack technique, which cascades exploits of both companies' software
Microsoft fixed the flaw that same month, and the Mac flaw was fixed by Apple in macOS 10153 Catalina, released in January 2020 (Wardle said he received no acknowledgement from Apple in the macOS Catalina 10153 release notes until he "queried" Apple)
The flaw in the macOS 10153 Catalina was fixed by Microsoft in January 2020
Wardle will further demonstrate and detail his attack method in a virtual presentation at the Black Hat security conference on August 5
Tom's Guide has reached out to Apple for comment and was pointed to the macOS Catalina release notes linked above
Wardle's hack cascaded the exploitation of several vulnerabilities, the most significant of which is a mundane Office macro, a simple script that automates tasks for the convenience of the user
"While the popularity of such attacks is growing, current attacks are (still) pretty lax" Wardle wrote in a blog post But with a little creativity, things could be much worse"
It is well known that macros are a security risk on Windows, though not so much on the Mac On both platforms, Microsoft Office by default opens files downloaded from the Internet in "safe mode" so that macros are not automatically executed
On macs, Wardle notes that Office applications are "sandboxed," making it difficult for malware to escape to affect other applications In addition, macOS 1015 Catalina checks the "notarization" of all software and quarantines anything suspicious
However, Wardle's chain of exploits slips through all these safeguards
"It could easily run macros automatically without user approval, escape the Microsoft Office sandbox, and circumvent Apple's new notarization requirements As a result, a malicious (unsigned) macOS backdoor was persistently installed on (fully patched) macOS systems"
Wardle began by using Sylk files (symbolic link files), an old 1980s file format for porting data from one Office application to another
Even though two researchers discovered last fall that Sylk files can be used to make Office on the Mac run macros without user permission and that those macros can download and run malware, Microsoft still supports Sylk Sylk
Even then, what is done by the rogue Sylk macros, including the installation of malware, is limited to within the Office sandbox and does not affect the rest of the Mac
To overcome that hurdle, Wardle took advantage of another known flaw: If you prefix the name of a Microsoft Office file with a "$" character (dollar sign), you can save that file anywhere on the Mac, even outside of the Office sandbox
This can be done to install macro malware on a Mac This is because Microsoft has made it impossible to use the "$" workaround to create a file that is launched at system startup
So far, these are Microsoft flaws, not Apple flaws Wardle then discovered that he could create macOS login items using escapes in the Office sandbox and pop up a terminal login prompt at system startup
"The fact that you can create a login item from within the sandbox seems to be a macOS issue (ie, an Apple bug)," Wardle wrote
Still, MacOS 1015 Catalina does not run random software without making sure it is "notarized" by Apple Therefore, Wardle's malware must appear to be legitimate
He discovered that if a malicious Office macro creates a compressed zip file with a name beginning with "$" and designates it as a login item to be run at system startup, macOS's own archive utility will automatically decompress the file the next time the user logs in We have found that this works
Because macOS checks the credentials of the Archive Utility rather than the zip file, this file unpacking passes the security sniff test
The unzipped zip file creates another file that is executed at system startup and may be malware The malware will be executed at the next login, and the Mac will be completely owned by the attacker
"If you have the ability to create a launch agent (to launch an interactive remote shell), it's game over," Wardle wrote
As a proof of concept, Wardle stated that he was able to use this exploit chain to install the infamous "downloader" malware on a Mac
Despite Apple's bug bounty program, Wardle does not expect to receive any money from Apple for finding these flaws and disclosing them to Cupertino Apple has already declared that these defects are not covered
"I have yet to receive zero dot zero dollars from Apple," Wardle told Vice News" So you know there may be a clause in there like "no money for Patrick," which is fine"
Comments