{"id":29712,"date":"2020-08-07T16:34:44","date_gmt":"2020-08-07T20:34:44","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=29712"},"modified":"2021-07-06T16:47:56","modified_gmt":"2021-07-06T20:47:56","slug":"infecting-macos-via-macro-laden-documents","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2020\/08\/07\/infecting-macos-via-macro-laden-documents\/","title":{"rendered":"Infecting macOS via Macro-laden Documents"},"content":{"rendered":"

Patrick Wardle<\/a> (also: Lorenzo Franceschi-Bicchierai<\/a>):<\/p>\n

\n

Here, we’ll detail the creation of a powerful exploit chain that began with CVE-2019-1457, leveraged a new sandbox escape and ended with a full bypass of Apple’s stringent notarization requirements. Triggered by simply opening a malicious (macro-laced) Office document, no alerts, prompts, nor other user interactions were required in order to persistently infect even a fully-patched macOS Catalina system!<\/p>\n

[…]<\/p>\n

Though one could not longer create a launch agent (due to Microsoft’s patch), I discovered that macOS had no problem allowing malicious code running in the sandbox from creating a login item! Similar to launch agents, login items are automatically launched by macOS each time the user logs in …and run outside the sandbox[…]<\/p>\n<\/blockquote>\n\n

See also: The Art Of Mac Malware<\/a> (tweet<\/a>).<\/p>\n\n

Previously:<\/p>\n