A security vulnerability has been discovered in Excel for Mac. It’s been there for many years and affects Office 365, Office 2019, Office 2016 and Office 2011 for Mac. We have details and suggest a protection you can do yourself.
It’s another problem with legacy support for an older Microsoft Office feature. In this case a very old and almost forgotten part of Excel for Mac using SYLK files. SYLK files could include XLM macros, long superseded by VBA but still available in Excel for Mac.
Outflank has been digging into the strangeness of XLM and SYLK.
Here’s where it gets strange. A SYLK file with XLM embedded will be run by Excel for Mac with NO warning to the user IF the security setting ‘Disable all macros without notification’. That should be the most secure option, but it allows SYLK/XLM files to run without interference.
Excel Preferences | Security
It’s hard to believe. The setting that’s supposed to disable all macros with NO warning to the user, will run SYLK/XLM macros. In other words it’s only obeying the second half of the setting (i.e. ‘without notification’) and not the vital first part (‘Disable all macros’).
The only saving grace for this Microsoft blunder is the default setting. That’s ‘Disable all macros with notification’ which will at least notify users that code is about to be run.
The less secure setting is, in this case, more secure … go figure.
Office 365 for Mac IS affected
There’s some strange parts of this report. It talks about Office 2019 and Office 2016 but no mention of Office 365 for Mac.
So we fired up our copy of Office 365 for Mac (latest build) with no previous versions of Office installed.
We made a simple .SLK file and sure enough, the vulnerability is in Excel 365 for Mac.
‘Disable all macros with notification’ works correctly, there’s an Enable / Disable Macros warning. Click Enable Macros and the SYLK/XLM code will run. Choose ‘Disable Macros’ and it won’t.
‘Disable all macros without notification’ is faulty. The macro code runs immediately the SYLK file is loaded into Excel 365 for Mac. No warning, no notice.
No Fix from Microsoft
If all that wasn’t bad enough, there’s no simple way to protect Excel. No way to disable SYLK access within Excel.
The recommendation is that email security filters check for and block .SLK files entirely. That’s not possible for everyone and doesn’t protect against infected files sent by messaging, memory sticks etc.
Changing the .slk file association
It’s possible to change the default action when .slk files are opened.
On a Mac the link between a file extension and applications are called Uniform Type Identifiers UTI (the equivalent of associations in Windows). The list of UTI’s and management is done from the Terminal command line.
The easier way is Finder. Make a dummy file with .slk extension (the file can be empty). The .slk file will have an Excel icon because Excel is the default application for that extension. On the ‘right-click’ menu for the .slk app choose ‘Get Info’.
From the Open with pull-down menu choose Other … and select another app, we chose TextEdit.app .
Then select ‘Change All …’ which changes the default application for opening files with that extension.
Now, if a .slk file is opened, it’ll appear in the Mac text editor. If you’re sure it’s safe, use ‘Open with …’ to open in Excel.