Macros and Malware: Why Microsoft Office’s Vulnerabilities Put SAP at Risk

Dec 12, '17 by Joerg Schneider-Simon

For decades, businesses and individuals have turned to Microsoft Office to create documents, spreadsheets, databases, and more. And as new cybersecurity threats have arisen, Microsoft has issued updates and patches to address those threats.

However, a couple of vulnerabilities (CVE-2017-11877 and CVE-2017-11882) have recently been discovered, and they may have been putting your SAP system at serious risk.  

Hidden Danger in Excel

CVE-2017-11877 involves a flaw in Excel. Because of this flaw, macro settings have not been enforced, so the application isn’t able to fully disable macros in spreadsheets. This can be dangerous because targeted businesses or individuals could receive an Excel file, do the right thing by disabling macros before opening it, and wind up having a malicious macro automatically run anyway – where it could then spy on the user, take over the machine, or perform any other number of tasks.

A 17-Year Old Office Vulnerability

CVE-2017-11882 is a different issue altogether and was only recently discovered by the security researchers at Embedi. This vulnerability is a memory-corruption problem that exists in every version of Microsoft Office that has been released in the past 17 years, including Office 365. It’s a remote code execution vulnerability, residing in the component that is responsible for OLE objects in documents. Because this component fails to properly handle objects in memory, it can be corrupted in a way that an attacker could execute malicious code in the context of the current user. At that point, they could install programs, alter data, or create new accounts.

Why Does This Threaten SAP Systems?

SAP and Microsoft Office aren’t usually mentioned in the same breath. However, with SAP applications that allow the uploading of documents (like SRM or E-Recruiting), it’s common for external users to upload Office documents, like purchase orders or resumes, into a company’s SAP system.

If those documents contain malicious macros or objects, they could easily wreak havoc on your SAP files and system. And unfortunately, neither SAP itself nor standard anti-virus programs are able to prevent this from happening.

This is because SAP operates differently than standard disk volumes. As files are uploaded into SAP via a secure connection, anti-virus programs are unable to scan them. Then, they’re stored in SAP’s own data repository, which anti-virus programs can’t examine. This is due to anti-virus programs being unable to connect with SAP’s virus scan interface (NW-VSI).

How to Protect Your System

The first step is making sure you keep on top of security updates, whether they’re for Office, SAP, or any other system you run. However, keep in mind that in most cases, by the time a security update is issued, the problem has existed for a while (maybe even 17 years). 

To protect your system, it’s a better idea to stay ahead of threats with a SAP security solution that works seamlessly with your SAP system — because it’s designed exclusively for it.

Want to know more about how macros in documents can contain cyberthreats, and why SAP’s security vulnerabilities can’t stop them? Download our white paper today.


Can SAP E-Recruiting Expose Your Company to Risk?