Are VBA and code-signing a distraction to the real threat?
Microsoft says, "its by-design" that their software can be rigged to give up your data when you use an Excel file. In the world of technology, security vulnerabilities are a common occurrence. Despite the efforts of tech giants like Microsoft to ensure their products are secure, sometimes they fall short. In this case, the company has refused to own up to their mistakes, putting users at risk. This post showcases an Information Disclosure vulnerability and Microsoft's reluctance to address the flaw in their Microsoft Excel file (XLSX).
Its a file format that users trust, similar to a PDF, it's a format you don't expect to trick you. - Regarded as safe, news flash... It's not. Here comes the PSA:
!!! NEVER CLICK THIS BUTTON. !!!
That means to even use many workbooks, clicking once is leverage for cybercriminals to gain unauthorized access to your file system.
Imagine downloading or recieving a spreadsheet from a colleague. You trust its safe as its an OpenOffice XML format running inside a Microsoft product without scripts or macros. You accidentally or intentionally enable content once. Now and going forward the document leaks the entire directory of your hard drive(s), allowing an attacker to choose which file they'd like.
The attacker either responds interactively, or sets it up to read a target file type (as shown in the demo) based on predefined characteristics, PowerQuery happily filters it out and sends it along. This demo works with text files, though I believe binary files are achievable as well.
As long as Microsoft denies this vulnerability and bounty, which is designed to protect customers, banks and institutions will be susceptible to this flaw. An attacker could safely bypass protections given this loophole and would fool many traditional techniques operating within a trusted process to steal data. (e.g. an "XLSX Shell" couldn't do code execution but could leak data while avoiding detection.)
Despite the severity of this, Microsoft has been slow to address it. I first reported the issue Feb. 2 2023, but the only meaningful response I've recieved is that my demo works and its working by-design, well gee that's helpful. I guess the MSRC team may not be prepared to address vulnerabilities that happen through built in functionality and not through stack manipulation.
Even so, many users are still vulnerable. Given that this so blatantly flew in the face of (and past) Microsoft, researchers have yet to think of new ways to exploit this vulnerability while Microsoft denies it needs to be fixed. If Microsoft fails to recognize and remediate this issue, its a troubling prospect for users who rely on Excel to do business and need security.
So, what can users do to protect themselves? The best course of action is not to use Excel on the Desktop, or do so without the use of active content. O365 should be a safer alternative in that the INFO("directory") function is not included.
In conclusion, this backdoor method of leaking data is a serious issue the company has been slow and, in my opinion, negligent to address. While there are steps users can take to protect themselves, it is ultimately up to Microsoft to fully communicate the gravity of enabling active content, and not mask it behind a single click/minimal warning.
How should Microsoft go about fixing it? They could make this kind of attack more difficult to pull off by ending support of legacy excel functions that give up crucial information like environment variables. Its looks like they have done this in PowerQuery, though the issue remains if were able to get it from a native Excel formula as demonstrated here.
Alternatively I think they could redesign the UI to display the warning more front and center, so business user's design their spreadsheets in a way that doesn't require the user to give up these permissions to simply use the document.
After submitting this blog post to Microsoft Security Response Team, if they still fail to recognize and respond to the issue, I'll post this publicly for the protection of users - Fingers crossed they do the right thing.