Documents of Doom: Infecting macOS via Office Macros

Presented at Objective by the Sea version 3.0 (2020), March 13, 2020, 5 p.m. (25 minutes)

On the Windows platform, macro-based attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community. In this talk, we will begin by analyzing recent macro-based attacks that target Apple's desktop OS, highlighting macOS-specific exploit code and payloads. Rather unsurprisingly though, these attacks are unsophisticated, requiring explicit user-approval to run the malicious macro code and remain constrained by Office's constrictive sandbox. Rather lame! However, things could be worse! We'll end the talk by detailing a novel exploit chain (created by yours truly), that starts with CVE-2019-1457, leverages a new sandbox escape and ends with a full bypass of Apple's stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction required, in order to persistently infect even a fully-patched macOS Catalina system! ...so maybe don't open any Office documents for the time being!? 📝☠️


Presenters:

  • Patrick Wardle - Principal Security Research at Jamf
    Patrick Wardle is a Principal Security Research at Jamf and founder of Objective-See. Having worked at NASA and the NSA, as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.

Links:

Similar Presentations: