Apple and Microsoft have fixed the flaw in macOS 10.15.3 and the latest version of Office on Mac, respectively.
Researcher used the age-old SLK format to perform the exploit
macOS security researcher and former NSA hacker Patrick Wardle has discovered a new vulnerability that would have allowed a hacker to take control of a Mac device by using a simple Microsoft Office file. The researcher discovered that hackers could easily misuse the ‘macro' feature in Microsoft Office to take control of devices. Microsoft Office apps allow users to automate tasks with custom commands using the ‘macro' feature. While hacks exploiting Office features on Windows devices have been reported earlier, this is said to be the first time that a researcher has demonstrated a macro-enabled exploit working on macOS as well. The exploit has now been patched.
In a blog post, the security researcher explained using several breaches and bugs that were present in Microsoft Office to inject the malicious code on macOS devices. The researcher created a file in the age-old ‘SLK' format to sidestep the macOS security system. The researcher also created a file whose name started with the ‘$' character. This particular file with the malicious code was able to break the Microsoft Office sandbox and enable the researcher to access the macOS device. Wardle even published a video showing off how the malicious code was used to open the Calculator app through Microsoft Excel. The searcher says that this exploit could be used to access other things as well.
For the exploit to work, the ‘macro' feature has to be enabled by the user for its Microsoft Office apps. The researcher points that Microsoft Office asks users if they really want to enable the ‘automated task' feature, and users who don't look at system alerts and just click on any option to rush through dialog boxes, are often more prone to harm than others. “Humans are impatient, exploits don't have to be,” the researcher told Vice.
While Apple did not respond to Wardle's report of the newly discovered flaw, a Microsoft spokesperson told the publication, “The company has investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs. We are in regular discussion with Apple to identify solutions to these issues and support as needed.” Furthermore, Apple and Microsoft have fixed the flaw in macOS 10.15.3 and the latest version of Microsoft Office on Mac, respectively.
WWDC 2020 had a lot of exciting announcements from Apple, but which are the best iOS 14 features for India? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, download the episode, or just hit the play button below.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.