Mac Malware Targeting Unpatched Office Running on OS X

By Lisa Vaas  |  Posted 2012-05-02 Print this article Print

Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X.

Microsoft has discovered malware that's preying on Apple computers running unpatched versions of its Office application suite.

The two vulnerabilities in question were patched in the Microsoft Office Word 2000 suite in June 2009, almost three years ago.

At that time, Microsoft put out a critical security bulletin€”MS09-027€”to close the holes, which can allow an attacker to get control of a system if a user opens a maliciously crafted Word file.

Jeong Wook Oh, of Microsoft's Malware Protection Center, wrote that nearly three years after the holes were patched, Microsoft has seen malware emerge that exploits the weaknesses on machines running Office on Mac OS X.

Microsoft is seeing limited spread of the malware, fortunately. However, Oh noted that the Malware Protection Center's investigations are turning up a few interesting tidbits.

One finding is that the malware targets only Snow Leopard or lower versions of Mac OS X. Specifically, one vulnerability is a stack-based buffer overflow that allows attack code to corrupt variables and return addresses located on the stack.

In the exploits Microsoft analyzed, they found that the malware author managed to corrupt a local variable and use it to deploy shellcode. Next, the malware uses the corrupted variable for a target address to which it copies the shellcode.

That target address is important, Oh wrote, since with Snow Leopard, it's used to exploit a specific, writable, executable location on the code heap. With Mac OS X Lion, that particular memory address can't be written, causing the exploit to fail.

The malware author is thus targeting Snow Leopard and lower Mac OS X versions, Oh said. "[It] means the attacker had knowledge about the target environment beforehand," he wrote. "That includes the target operating system, application patch levels, etc."

The malware turns the infected system into a slave in a botnet. It plants a shell script that hides abnormalities or malicious symptoms from the user. It then plants the main payload file, which is a command-and-control agent that communicates to a server that Oh said is similar to other C&C botnet servers. From there, it looks like the server is passing on commands for the infected machine to retrieve files or create processes.

The obvious takeaway is that Mac OS X isn't safe from malware, Oh said, and the situation's only going to get worse as the operating system comes into greater use. This means, of course, that Mac users have got to wake up and smell the coffee when it comes to staying on top of patches.

"Exploiting Mac OSX is not much different from other operating systems," he wrote. "Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

Oh recommended that people using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac should be sure that they've downloaded the patch from Microsoft Security Bulletin MS09-027.

It€™s also important to ensure that antivirus software is installed on your Mac and kept up to date. There are good, free products for Mac OS X out there.


Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel