{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/xlm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Excel","Microsoft Excel","Microsoft Office 2019","Microsoft Office 2011","macOS Catalina 10.15"],"_cs_severities":["high"],"_cs_tags":["excel","xlm","rce","macro","macos","sylk"],"_cs_type":"threat","_cs_vendors":["Microsoft","Apple"],"content_html":"\u003cp\u003eA zero-day vulnerability in Microsoft Excel for macOS allows for remote code execution through the exploitation of XLM macros embedded within SYLK (.slk) files. This vulnerability, originally discovered by Pieter Ceelen of Outflank, bypasses the security setting \u0026ldquo;Disable all macros without notification,\u0026rdquo; which is intended to prevent automatic macro execution. When this setting is enabled, Excel fails to properly disable XLM macros, leading to their silent execution upon opening a malicious .slk file. While modern macOS features like application sandboxing, file quarantine, and code notarization provide some mitigation, the vulnerability enables an attacker to execute arbitrary code within the context of the Excel process. The exploit has been confirmed on fully patched versions of Microsoft Excel 2016 and 2019 running on macOS Catalina 10.15, posing a significant risk to users who rely on the \u0026ldquo;Disable all macros without notification\u0026rdquo; setting for security.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious SYLK (.slk) file containing embedded XLM macros.\u003c/li\u003e\n\u003cli\u003eThe victim receives the malicious .slk file, often delivered via download.\u003c/li\u003e\n\u003cli\u003eThe victim opens the .slk file with Microsoft Excel on macOS.\u003c/li\u003e\n\u003cli\u003eExcel, despite the \u0026ldquo;Disable all macros without notification\u0026rdquo; setting, automatically executes the embedded XLM macros without prompting the user.\u003c/li\u003e\n\u003cli\u003eThe XLM macro invokes the \u003ccode\u003eCALL\u003c/code\u003e function to execute arbitrary code. For example, \u003ccode\u003eCALL(\u0026quot;libc.dylib\u0026quot;,\u0026quot;system\u0026quot;,\u0026quot;JC\u0026quot;,\u0026quot;open -a Calculator\u0026quot;)\u003c/code\u003e to launch Calculator.app.\u003c/li\u003e\n\u003cli\u003eThe executed code operates within the sandbox of the Microsoft Excel application.\u003c/li\u003e\n\u003cli\u003eAlthough sandboxed, attacker could attempt to exploit further vulnerabilities to escape the sandbox.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves code execution on the target system, potentially leading to further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary code on a macOS system without user interaction. While macOS sandboxing, file quarantine, and code notarization mechanisms can limit the impact, a successful exploit could lead to sensitive data compromise, arbitrary code execution, and further system compromise if the attacker can bypass these protections. The impact is somewhat mitigated by macOS security features, but it still presents a viable attack vector.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable the \u0026ldquo;Disable all macros with notification\u0026rdquo; setting in Microsoft Excel to ensure users are prompted before macro execution, as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eMonitor for the execution of unusual processes spawned by Microsoft Excel, using the Sigma rule \u003ccode\u003eDetect Suspicious Process Spawned by Excel\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider blocking SYLK (.slk) files at the email gateway and web proxy, as recommended by CERT.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect and block connections to known malicious command-and-control servers, to mitigate potential post-exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-excel-xlm-rce/","summary":"A logic flaw in Microsoft Excel allows remote code execution on macOS via malicious XLM macros in SYLK files, bypassing the 'Disable all macros without notification' setting.","title":"Microsoft Excel XLM Macro Remote Code Execution on macOS","url":"https://feed.craftedsignal.io/briefs/2024-01-excel-xlm-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Xlm","version":"https://jsonfeed.org/version/1.1"}