7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.9%
The Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
XLM macros
Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros.
SYLK and XLM macros
XLM macros can be incorporated into SYLK files, as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet.
SYLK and XLM macros with Microsoft Office for Mac
It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post, Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files.
The Problem
If Office for the Mac has been configured to use the “Disable all macros without notification” feature, XLM macros in SYLK files are executed without prompting the user.
By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel.
Apply an update
This issue is addressed for Office 2016 for Mac build 16.16.16 (19111100) and Office 2019 for Mac build 16.31 (19111002), as described in the Microsoft Security update for CVE-2019-1457.
Block SYLK files at email and web gateways
SYLK files, which have the file extension SLK, should be blocked at email and web gateways to help prevent exploitation of this vulnerability.
125336
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: October 31, 2019 Updated: November 12, 2019
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 5.8 | E:POC/RL:W/RC:C |
Environmental | 4.4 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
This issue was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
CVE IDs: | CVE-2019-1457 |
---|---|
Date Public: | 2019-10-31 Date First Published: |
objective-see.com/blog/blog_0x50.html
outflank.nl/blog/2018/10/12/sylk-xlm-code-execution-on-office-2011-for-mac/
outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1457
support.office.com/en-us/article/what-is-protected-view-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
support.office.com/en-us/article/working-with-excel-4-0-macros-ba8924d4-e157-4bb2-8d76-2c07ff02e0b8
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.001 Low
EPSS
Percentile
39.9%