Attacks via macro exploits can only be prevented with current versions of Monterey and Big Sur, according to the company.
Microsoft has published a “deep dive” into a dangerous vulnerability that threatens Microsoft Office in connection with older versions of macOS. A patch for the vulnerability with the CVE ID 2022-26706 has been available since May. Microsoft therefore recommends installing at least macOS Monterey 12.4 or macOS Big Sur 11.6.6 – i.e. the latest version of Monterey and at least the penultimate version of Big Sur.
Leaving the sandbox
Microsoft noticed the exploitable bug after the group’s security department was looking for possible ways to break through the macOS sandbox via Office macros. This revealed a problem related to reading and writing files with a “~$” prefix – a feature that was left in Microsoft Word for compatibility reasons.
The Microsoft security researchers then found out that the macOS launch services can be used to execute an “open -stdin” command – using a special Python file that has the said prefix. This made it possible to bypass basic security functions in macOS and thus attack or access system and user data.
Breakouts again and again
The bug is far from the first vulnerability in the macOS sandbox. In connection with the launch services, it would have been possible in the case of CVE 2022-26706 to create persistence for a possible exploit. It is unclear whether the vulnerability was ever exploited, i.e. whether there are or were exploits in the wild.
However, users should definitely update to the latest macOS versions in order to prevent possible attacks via Office macros. In addition, it makes sense to get general information about the security of macros, which always pose certain risks – even without an exploit. Interestingly, the sandbox escape vulnerability discovered by Microsoft is also present in iOS, iPadOS, tvOS and watchOS. Office variants are available at least for iOS and iPadOS. It was initially unclear whether there would have been opportunities for attack. The bug has been fixed with iOS, iPadOS and tvOS 15.5 as well as watchOS 8.6 – these are the latest operating system versions.