Documents of Doom – Infecting macOS via Office Macros

On the Windows platform, macro-based attacks are well understood (and frankly are rather old news). However on macOS, though such attacks are growing in popularity and are quite en vogue, they have received far less attention from the research and security community.

In this talk, we will begin by analyzing recent macro-based attacks that target Apple’s desktop OS, highlighting their macOS-specific exploit code and payloads.

Next, we’ll detail a novel exploit chain, that starts with CVE-2019-1457, leverages a new sandbox escape and a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no other user interaction required, in order to persistently infect even a fully-patched macOS Catalina system.

…so maybe don’t open any Office documents for the time being!? ๐Ÿ˜‰

Location: Track 1 Date: April 23, 2020 Time: 5:30 pm - 6:30 pm Patrick Wardle