Mac Malware Targeting Unpatched Office Running on OS X

Microsoft is reporting that malware is exploiting unpatched versions of its Microsoft Office Word 2000 suite to compromise Apple Macintoshes running Snow Leopard or earlier versions of Mac OS X.

Microsoft has discovered malware that's preying on Apple computers running unpatched versions of its Office application suite.

The two vulnerabilities in question were patched in the Microsoft Office Word 2000 suite in June 2009, almost three years ago.

At that time, Microsoft put out a critical security bulletin€”MS09-027€”to close the holes, which can allow an attacker to get control of a system if a user opens a maliciously crafted Word file.

Jeong Wook Oh, of Microsoft's Malware Protection Center, wrote that nearly three years after the holes were patched, Microsoft has seen malware emerge that exploits the weaknesses on machines running Office on Mac OS X.

Microsoft is seeing limited spread of the malware, fortunately. However, Oh noted that the Malware Protection Center's investigations are turning up a few interesting tidbits.

One finding is that the malware targets only Snow Leopard or lower versions of Mac OS X. Specifically, one vulnerability is a stack-based buffer overflow that allows attack code to corrupt variables and return addresses located on the stack.

In the exploits Microsoft analyzed, they found that the malware author managed to corrupt a local variable and use it to deploy shellcode. Next, the malware uses the corrupted variable for a target address to which it copies the shellcode.

That target address is important, Oh wrote, since with Snow Leopard, it's used to exploit a specific, writable, executable location on the code heap. With Mac OS X Lion, that particular memory address can't be written, causing the exploit to fail.

The malware author is thus targeting Snow Leopard and lower Mac OS X versions, Oh said. "[It] means the attacker had knowledge about the target environment beforehand," he wrote. "That includes the target operating system, application patch levels, etc."

The malware turns the infected system into a slave in a botnet. It plants a shell script that hides abnormalities or malicious symptoms from the user. It then plants the main payload file, which is a command-and-control agent that communicates to a server that Oh said is similar to other C&C botnet servers. From there, it looks like the server is passing on commands for the infected machine to retrieve files or create processes.

The obvious takeaway is that Mac OS X isn't safe from malware, Oh said, and the situation's only going to get worse as the operating system comes into greater use. This means, of course, that Mac users have got to wake up and smell the coffee when it comes to staying on top of patches.

"Exploiting Mac OSX is not much different from other operating systems," he wrote. "Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

Oh recommended that people using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac should be sure that they've downloaded the patch from Microsoft Security Bulletin MS09-027.

It€™s also important to ensure that antivirus software is installed on your Mac and kept up to date. There are good, free products for Mac OS X out there.