Microsoft Office for Mac cannot properly disable XLM macros


The Microsoft Office for Mac option “Disable all macros without notification” enables XLM macros without prompting, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.


XLM macros

Up to and including Microsoft Excel 4.0, a macro format called XLM was available. XLM macros predate the VBA macros that are more common with modern Microsoft Office systems, however current Microsoft Office versions still support XLM macros.

SYLK and XLM macros

XLM macros can be incorporated into SYLK files, as outlined by Outflank. Macros in the SYLK format are problematic in that Microsoft Office does not open in Protected View to help protect users. This means that users may be a single click away from arbitrary code execution via a document that originated from the internet.

SYLK and XLM macros with Microsoft Office for Mac

It has been reported that Office 2011 for Mac fails to warn users before opening SYLK files that contain XLM macros. According to this post, Microsoft has reported that Office 2016 and Office 2019 for Mac properly prompt the user before executing XLM macros in SYLK files.

The Problem

If Office for the Mac has been configured to use the “Disable all macros without notification” feature, XLM macros in SYLK files are executed without prompting the user.


By convincing a user to open specially-crafted Microsoft Excel content on a Mac that has “Disable all macros without notification” enabled, a remote, unauthenticated attacker may be able to execute arbitrary code with privileges of the user running Excel.


Apply an update

This issue is addressed for Office 2016 for Mac build 16.16.16 (19111100) and Office 2019 for Mac build 16.31 (19111002), as described in the Microsoft Security update for CVE-2019-1457.

Block SYLK files at email and web gateways

SYLK files, which have the file extension SLK, should be blocked at email and web gateways to help prevent exploitation of this vulnerability.




This issue was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs:CVE-2019-1457
Date Public:2019-10-31
Date First Published:2019-11-01
Date Last Updated:2019-11-15 12:51 UTC
Document Revision:37

Leave a Reply

Your email address will not be published. Required fields are marked *