Office for Mac 2011 users warned about SYLK file format – Naked Security

Any Apple users out there still running Microsoft Office for Mac 2011? If so, there are at least two reasons why that might not be a good idea.

The first is that Microsoft stopped supporting this version with bug and security fixes in October 2017, which means that any vulnerabilities in the software are essentially there forever.

The second is that the US CERT Coordination Center (CERT/CC) has issued a warning prompted by new research. The warning details the risky way Office for Mac 2011 handles a forgotten macro format called XML (no relation to XML markup) when embedded inside a Microsoft spreadsheet exchange format called SYLK (SYmbolic LinK).

It’s unlikely many people will have heard of either but as with so many formats from the distant past, support for them lingers on inside today’s software as something attackers might exploit in certain circumstances.

Last year, Dutch researchers noticed that SYLK’s .slk file format was a great “candidate for weaponization on Mac” for reasons that have been underestimated.

First, Office’s ‘be careful’ protected mode sandbox warnings weren’t triggered when trying to open files in this format.

More seriously, in Office for Mac 2011, the default macro execution warning – disable all macros without notification – could allow an attack exploiting XML inside .slk files to slip through unnoticed.

The only alternatives to this are the clearly unwise enable all macros or disable macros with notification which stops any macros from running automatically but informs the user each time it has to intervene.

Disable all macros without notification should be safer but, ironically disable macros with notification is the option that would warn of a malicious XML/SYLK file.