“Humans are impatient, exploits don't have to be,” Wardle said.Īpple did not respond to a request for comment.Ī Microsoft spokesperson said that the company has “investigated and determined that any application, even when sandboxed, is vulnerable to misuse of these APIs,” the company wrote in an emailed statement. That, however, doesn’t mean it could not work, especially in a scenario where hackers target as many people as possible, hoping one falls for it. It’s worth noting, and Wardle admitted it too, that for this exploit to work, the victim has to login into their Mac computer on two separate occasions, as every login triggers a different step in the chain.
Microsoft access for mac users zip#
zip file, MacOS wouldn’t check it against its new notarization protections, which technically won’t allow files downloaded from the internet to access user files unless they come from known developers. Finally, the last piece of the puzzle was to realize that if that file was a. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 9, OTR chat at or email he took advantage of a flaw discovered by another researcher, which allows a hacker to escape the Microsoft Office sandbox by creating a file that starts with the “$” sign. “Security researchers love these ancient file formats because they were created at a time when no one was thinking about security,” Wardle said.ĭo you work or did you use to work at Apple? Do you do research on iOS or MacOS? We’d love to hear from you. Wardle, who is now a security engineer at the Mac-focused company Jamf, first realized he could create an Office file with an ancient file format (.slk), that would prompt Office to automatically run macros on MacOS without alerting the user, a technique discovered by two other security researchers in 2018.
Microsoft access for mac users series#
Wardle’s hack was possible thanks to a series of happenstances and bugs he found and linked together. Wardle published a blog post on Wednesday morning, and will demonstrate his findings during the Black Hat security conference on Wednesday, which is being held online this year due to the coronavirus pandemic.
“I basically said, could things be worse?”Īs it turns out, they could. “Current MacOS attacks are very ineffective, kind of lame,” Wardle told Motherboard in a phone call.
0 kommentar(er)
