Reaching Parity in Office for Mac
As part of ongoing security research to try and bring the security of our macOS systems in line with our Windows systems, we identified several places where Office for Mac didn’t have the same controls as its Windows sibling. We reached out to Microsoft on these gaps and they’ve provided two additional controls for Office for Mac to better secure macOS systems.
VBAObjectModelIsTrusted
One opportunity was the ability for office documents opened in Office for Mac to dynamically generate Visual Basic for Applications (VBA) modules. This is locked down on Windows in the Trust Center with a setting called “Trust access to the VBA project object model.” Microsoft describes this setting here¹:
"Disallow or allow programmatic access to the Visual Basic for Applications (VBA) object model from an automation client. This security option is for code written to automate an Office program and manipulate the VBA environment and object model. It is a per-user and per-application setting, and denies access by default, hindering unauthorized programs from building harmful self-replicating code. For automation clients to access the VBA object model, the user running the code must grant access. To turn on access, select the check box."Previously, in Office for Mac, this was only implemented in PowerPoint. Microsoft will be deploying this setting to the other products in Office for Mac 2019 in version 16.21². There will be a configuration preference “VBAObjectModelIsTrusted” that will allow administrators to control whether or not the Office Suite will allow access to the VBA Object Model. By default, access to the Object Model will be blocked. There is one minor difference in the application of this control between the two operating systems. On Windows, these controls are per-user and per-application. On macOS, these controls are per-user and apply to entire suite of Microsoft products.
TryDefaultPassword
Before we go into this new configuration, I’m going to reference a few articles:
- https://isc.sans.edu/forums/diary/Encrypted+Office+Documents/23774/
- https://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/
Okay, now that we’ve given some high level background into this ancient default password that is used to automatically decrypt Excel workbooks… We can cover how it can be disabled. On Windows, the following registry key can be set to 0 to disable this functionality:
HKCU\Software\Microsoft\Office\1?.0\Excel\Security\TryDefaultPassword
On Office for Mac, there wasn’t a matching configuration to disable this functionality. As of Office for Mac version 16.20 (Released December 2018), Microsoft has released the configuration preference “TryDefaultPassword.” This configuration preference will default to YES, which means Excel will continue to silently decrypt these files for you. To protect your systems, after testing, you should change this configuration to NO .
Both of these preferences are CFPreferences-compatible and are respected as computer-wide policies if deployed through a Configuration Profile.
TL;DR
- Upgrade to Office 365/2019 for Mac and keep your versions up to date
- Deploy this configuration preference to your macOS systems
defaults write com.microsoft.Excel TryDefaultPassword -bool NO- If you’re on a windows system, set the following registry key to 0
HKCU\Software\Microsoft\Office\1?.0\Excel\Security\TryDefaultPasswordReferences
- https://support.office.com/en-us/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
- https://macadmins.software/docs/VBSecurityControls.pdf
Special Thanks
Erik Schwiebert— Microsoft
Paul Bowden — Microsoft
Danny Chrastil — Walmart DisK0nn3cT
