Researchers Identify Bugs in Microsoft Excel, Apple macOS

Threat intelligence firm Mimecast revealed that hackers are exploiting a Microsoft Excel feature called Power Query to facilitate Office 365 attacks. This feature lets legitimate users combine data from various sources by linking to those components in a spreadsheet. Hackers replace a link with another that leads to a site infected with malware. The hacked Excel spreadsheets then allow attackers to install backdoors, using the software program’s own tools. Meanwhile, Apple has yet to fix a macOS bug first identified by a cybersecurity researcher in February.

Wired reports Mimecast chief scientist Meni Farjon said that, with Power Query, “attackers don’t need to invest in a very sophisticated attack.” “They can just open up Microsoft Excel and use its own tools, and you have basically 100 percent reliability,” he said, adding that the hack “will work in all the versions of Excel as well as new versions, and will probably work across all operating systems, programming languages, and sub-versions, because it’s based on a legitimate feature.”

Farjon believes that when Power Query is linked to an infected website, “attackers could initiate something like a Dynamic Data Exchange [DDE] attack, which exploits a Windows protocol that lets applications share data in an operating system.” Hackers have launched such DDE attacks since about 2014, and a 2017 Microsoft security advisory “offered suggestions about how to avoid the attacks, like disabling DDE for various Office suite programs.”

Mimecast researchers uncovered another way to launch attacks “on devices that don’t have these workarounds in place,” and shared their findings with Microsoft in June 2018. Microsoft “said that it would not be making any changes to the feature and hasn’t since.”After waiting for one year for the company to change its mind, Farjon released the information to the public. “Unfortunately I think attackers will absolutely use this,” he said. “It’s easy, it’s exploitable, it’s cheap, and it’s reliable.”

Elsewhere, Wired reports that cybersecurity researcher Filippo Cavallarin discovered a bug in macOS on February 22 and reported it to Apple, which said it would fix it by mid-May. When that deadline passed, he published a “full description and proof-of-concept code on May 24.”

Now, ZDNet reports that “cybersecurity firm Intego recently spotted malware authors testing out what the researchers call OSX/Linker, which uses a variation on Cavallarin’s proof-of-concept to sneak malicious code past Gatekeeper’s defenses.” This particular hack hasn’t yet been used “in the wild,” but it is a “looming threat to Mac owners.”

Apple’s Gatekeeper, first introduced in 2012 with OS X Mountain Lion, scans apps downloaded from outside the Apple App store to make sure the software hasn’t been tampered with, but Cavallarin learned that Gatekeeper “considers applications coming from external drives, or shared over a network, as safe.” Hackers can use that weakness to place malware into a victim’s system, bypassing Gatekeeper.

Intego chief security analyst Joshua Long reported that the trick could easily be used to link to “some really nasty spyware, a backdoor.” “You can use it to infect anybody with anything,” he said.