New exploit uses old Office vulnerability for OS X malware delivery

While this means of exploiting Mac systems via Microsoft Office is old and has been patched, this marks the first time Office documents have been used to exploit OS X systems.

Some malware groups have recently been found to be taking advantage of an old, patched vulnerability in Microsoft Office for OS X in an attempt to spread command-and-control malware to OS X systems.

The vulnerability used in the attack is outlined in a Microsoft security bulletin in June 2009, which applied to all versions of Office 2004 version 11.5.4 or earlier, Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier.

The vulnerability was patched soon after it was found, and currently all supported Office programs are well beyond these versions. However, malware developers are attempting to exploit unpatched systems. These efforts mark the first time Office documents have been used as a vehicle for attacks in OS X.

For this attack to work, you would need to open a maliciously crafted Word file that has likely been distributed via spam and other suspicious means that could easily be avoided. When a maliciously crafted Word file is opened in an unpatched version of Word for Mac, it runs a script that writes the document's malware payload to the disk and executes a shell script that runs the malware. In addition it displays a Word document containing a poorly formatted political statement about Tibetan freedoms and grievances.

So far there are two observed malware variants being distributed via these malicious Word documents:

  1. Variant One
    The first piece of malware appears to install in the Automator program that ships with OS X as a binary called "DockLight," which you can detect by running the following command in the Terminal (available in the /Applications/Utilities/ folder):

    ls /Applications/Automator.app/Contents/MacOS/


    If you run this command you should only see "Automator" listed in the output, but if you also see DockLight or any other files listed along with Automator then you might consider scanning your system with a malware scanner.

  2. Variant Two
    The second piece of malware appears to try to mimic the system launcher program "launchd" by installing a similarly named executable file in the global library directory, and then creates a launch agent that keeps this binary file running when the computer starts. As with Variant One, you can check your system to see if it shows up by running the following command in the Terminal:

    ls /Library/launchd


    If the result of this command contains the phrase "No such file or directory" then you are fine. However, if it returns the string "/Library/launchd" without mention of there not being any such file or directory then you again might consider scanning your system for malware.

In both cases, the malware attempts to contact command-and-control servers to receive instructions for uploading private information and other items from affected computers. However, because the malware only installs itself in locations that have already been uncovered, it can be easily removed from a system by running the following commands in the OS X Terminal:

sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
sudo rm /Library/launchd

Security company AlienVault, which has been closely monitoring the recent Tibet.A Trojan malware, suspects that this new attack attempt is linked to the same group, which for now appears to be targeting Tibet-based nongovernmental organizations.

As with the recent Tibet and Flashback malware attempts that took advantage of old Java vulnerabilities , this is another example of why you should always apply the latest security patches and software updates to your system.

While most vulnerabilities addressed by security updates are only possible attack routes, and aren't necessarily under attack, once they made public then even years later malware developers might try to take advantage them. In this case, an attempt is being made to exploit a vulnerability that has been known and patched since mid-2009.

This development also serves as a reminder that running a system using an administrator account is less secure than reserving admin accounts for administrative purposes and relying on the more limited standard or "managed" accounts for day-to-day work and activities.

By running in a standard account, you limit the system resources that programs can automatically access, and isolate many types of trouble to your current user account's resources folder (by default, the contents of its home folder).

The overall take-home message from this and other recent OS X malware news is that updating your system and the software you have on it is an easy way to avoid many attacks.



Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.

 

Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments