Ex-NSA Hacker Finds a Way to Hack Mac Users Via Microsoft Office

A security researcher who specializes in MacOS found a way to hack users who would double click on a Microsoft Office file, with no need for any other interaction.
August 5, 2020, 12:00pm
Image: Cathryn Virginia/Motherboard

Mac computers have long enjoyed the reputation of being more secure than their Windows counterparts. Over the last few years, however, as more and more people choose Macs—especially at big corporations—that notion is changing thanks to hackers turning their sights on Apple’s computer operating system.

On Wednesday, former NSA hacker Patrick Wardle will demonstrate how he was able to create a chain of exploits that would have allowed hackers to take control of a Mac by simply convincing the target to open a Microsoft Office file laden with a malicious macro. Creating Office files with malicious macros is an old trick that’s been enjoying a second life lately for hackers interested in Windows targets. Wardle is now showing how macros—essentially small programs embedded in documents—could be exploited on MacOS as well.


“Current MacOS attacks are very ineffective, kind of lame,” Wardle told Motherboard in a phone call. “I basically said, could things be worse?”

As it turns out, they could. Wardle published a blog post on Wednesday morning, and will demonstrate his findings during the Black Hat security conference on Wednesday, which is being held online this year due to the coronavirus pandemic.

Wardle’s hack was possible thanks to a series of happenstances and bugs he found and linked together. Wardle, who is now a security engineer at the Mac-focused company Jamf, first realized he could create an Office file with an ancient file format (.slk), that would prompt Office to automatically run macros on MacOS without alerting the user, a technique discovered by two other security researchers in 2018.

“Security researchers love these ancient file formats because they were created at a time when no one was thinking about security,” Wardle said.

Do you work or did you use to work at Apple? Do you do research on iOS or MacOS? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzofb@vice.com

Then, he took advantage of a flaw discovered by another researcher, which allows a hacker to escape the Microsoft Office sandbox by creating a file that starts with the “$” sign. Finally, the last piece of the puzzle was to realize that if that file was a .zip file, MacOS wouldn’t check it against its new notarization protections, which technically won’t allow files downloaded from the internet to access user files unless they come from known developers.

It’s worth noting, and Wardle admitted it too, that for this exploit to work, the victim has to login into their Mac computer on two separate occasions, as every login triggers a different step in the chain. That, however, doesn’t mean it could not work, especially in a scenario where hackers target as many people as possible, hoping one falls for it.


“Humans are impatient, exploits don't have to be,” Wardle said.

Apple did not respond to a request for comment.

A Microsoft spokesperson said that the company has “investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs,” the company wrote in an emailed statement. “We are in regular discussion with Apple to identify solutions to these issues and support as needed.”

The flaws Wardle took advantage of are now fixed for the latest version of Office on Mac, and for MacOS 10.15.3. Wardle said that, however, Apple was unresponsive when he reported the flaws.

“It's just a little frustrating when, you know, again, us as security researchers are basically doing this free security research. And we do it because we believe that we can help increase the security of the ecosystem in the platform for ourselves as Mac users, but also other Mac users,” Wardle said, referring to the bugs he’s reported to Apple.

“I still have received zero dot zero dollars from Apple. So, you know, maybe there's like a clause in there that's like 'no money for Patrick,' which is fine,” he added laughing.

Subscribe to our new cybersecurity podcast, CYBER.