New Java trojan and old MS Word vulnerabilities need patching

New Java trojan and old MS Word vulnerabilities need patching

Summary: According to fresh warnings by security vendor Intego, another Java vulnerability is attacking Macs that haven't been patched with Apple's Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7, released earlier this month. Meanwhile, the security analysts warned that many copies of older versions of MS Word haven't been patched and are being infected.

SHARE:

According to fresh warnings by security vendor Intego, another Java vulnerability is attacking Macs that haven't been patched with Apple's Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7, released earlier this month. Meanwhile, the security analysts warned that many copies of older versions of MS Word haven't been patched and are being infected.

Intego warned of SabPab, which can exploit the same Java vulnerability as the Flashback trojan.

SabPab is a backdoor that seeks to connect to remote command and control servers, presumably to harvest information on infected Macs. This malware installs in the user’s /Library/LaunchAgents folder, so no administrator password is needed. It places its code in the user’s /Library/Preferences folder (the com.apple.PubSabAgent.pfile).

As I mentioned in a previous post, older machines running pre-Snow Leopard OSes can disable Java in your web browser (in Safari it’s a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.

The Word vulnerability was patched by Microsoft several years ago, however, many Mac users haven't bothered to install the patches or have turned off the automated Microsoft updates installer. According to Integro, MS Word 2004 and 2008 are vulnerable, but Word 2011 is not. In addition, the older .DOC format is vulnerable, not the .DOCX format.

New variants of the SabPab backdoor that we recently wrote about have been found using Word documents to deliver the same payload as the first variant. This variant uses the same technique to install files on Macs as the Tibet.C malware that we discussed in March.

These two types of malware use Word documents in an interesting way. Each file has three parts: the first part is the exploit that takes advantage of a Word vulnerability. The second part is the malware that is then installed on Macs. And the third part is an actual Word document that displays when a users double-clicks the file.

Topics: Software Development, Apple, Collaboration, Hardware, Malware, Microsoft, Open Source, Security, Software

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion
  • Keep up to date, people . . .

    Keep up to date, people. Keep those automatic updates on. Security is not a one-time thing, it's a process.

    Indeed, this goes for any OS: If you stay up to date, the chances of getting any type of malware is slim.

    Even on Windows PCs, it's generally the case that the vast majority of infections are on unpatched machines.

    So keep up to date, always.
    CobraA1
    • Only problem with this line of thought...

      ... is that Apple barely supports PPC hardware anymore, and PPC hardware with Leopard is affected by Flashback.

      If you're using a PPC Mac and need Java, you're kinda... well... screwed.
      Champ_Kind
      • Which means...

        ... you'll have to pay your Apple tax and upgrade your computer to one that's Intel-based. Oh, I forget myself: we can't criticise Apple, as they only ever have our best interests at heart - it's Microsoft that is the evil empire, always forcing people to chuck away perfectly good computers, changing their OS every 4 years to such an extent that users have to buy their software all over again, not supporting desktop OSes older than 5 or 6 years... :-P
        IslandBoy_77
      • You know . . .

        You know, I am on a pretty thin budget right now, spending about $20 or so less than my income.

        Thankfully, it's a temporary situation, but at that rate I can afford a $300 netbook in a little over a year.

        How old is that PPC again?
        CobraA1
  • PubSubAgent.pfile or PubSabAgent.pfile?

    This malware installs in the user???s /Library/LaunchAgents folder, so no administrator password is needed. It places its code in the user???s /Library/Preferences folder (the com.apple.PubSabAgent.pfile).

    Is this a new .pfile addition or did you mean "com.apple.PubSubAgent.pfile" ???
    WebDavCrisp
  • This must be a mistake

    [i]so no administrator password is needed[/i]

    We were told by the Apple community that you always needed a password to install programs. No matter how many times the ignorant Apple community was informed that admin passwords are only required if the installer requires admin privileges, they told us that no, this wasn't true. As long as you didn't enter your admin password, no programs could be installed on the computer.

    Clearly they were wrong. Clearly they should have listened to people who are much smarter than they are.

    Keep in mind folks that "bypassing" the need for the admin password is [b]by design[/b], this isn't some vulnerability that Apple can patch. Yes, there is a vulnerability that allowed the malware to be downloaded and installed without the user requesting it but the exploit itself didn't have to take advantage of any vulnerability to bypass the admin password.

    The only way to stay safe, OS X users, is to be paranoid. Do not open emails, do not surf the web, do not even look at the filename of a Word document. You have to be scared to use your computer. Enjoy.
    toddbottom3
    • I find it amusing

      that the mac fanbois keep voting down your post... I guess they don't like the truth being told?

      First it was "security by obscurity" (which was a myth) to "There is NO malware for Macs" (even [i]after[/i] Apple released an antimalware solution and has kept it updated since) followed by "Macs don't get viruses" (true enough but a misdirection) and then it's "Ed Bott keeps blowing this out of proportion" (no, not really) to "You NEED an administrator password to run" (which has since also been proven false)... so what's the NEXT excuse going to be before you guys wake up and realize there IS an issue?

      And here's a question of board etiquette for you people who love to flag posts or vote posts down and move on - why not man up, grow a pair of cajones, and say why you flagged it/voted it down?
      NonFanboy
      • Men of straw

        And I find it amusing that you continue to make straw man arguments.
        Care to post citations where people made these comments.
        1) Security by obscurity is a statistical argument that can be proved false in both the forward and reverse direction with simple math. I have done so repeatedly on other threads.
        2) Please provide a citation for where people here claimed there was no OSX malware. In fact, the fact that there IS (but that its rate of introduction has remained essentially unchanged) only helps to bolster the proof in #1, above.
        3) There are no Macs viruses, as stated.
        4) Please provide a citation to where this was stated as a general rule, rather than a specific response to a specific instance, where that specific instance was not the case.
        .DeusExMachina.
      • He isn't being downvoted for telling the truth...

        He is being downvoted for saying it like a douche! (As a douche?)

        Just sayin'...
        mlashinsky@...
    • Care to provide citations to where this claim was made?

      <nt>
      .DeusExMachina.
      • care to use google?

        what are you, an annoying lawyer trying to slow down the trial? :-p
        belli_bettens@...
      • @belli_bettens

        Care to have a point?

        Or to even read? Google has nothing to do with this. This is about posters to THIS forum, making THESE comments. Duh.
        .DeusExMachina.
  • An analogy.

    Trojan writers follow the herd, picking off the old and the lame.
    trm1945
  • What's the matter with people? I ALWAYS install updates the moment they are

    available; always have,. I don't see the point in not doing so.
    Laraine Anne Barker
  • The Java update problem

    was not one of users failing to update but one of Apple being 2 months late releasing the update after the exploit had been reported and Oracle had patched it. Apple finally releasing the patch was more a matter of after the malware attack was widely reported than any premptive move on Apple's part. They failed in every way to protect their users and still the fanboys defend them.
    techadmin.cc@...
    • When did Oracle give Java patches to Apple

      You seem well informed, sort of :)

      So, tell us, do you know at what date did Oracle provide patched Java code to Apple to release to their customers?

      You don't know? Yet, you claim it was Apple who caused the delay.
      danbi
  • turn off java

    turning off java altogether is helpful. then when the computer tells you that it can't do something because java is not enabled, it gives the user the opportunity to figure out what is calling for the java and avoid its unauthorized use and a covert infection.

    if you decide to turn it on, then turn it back off after your threw with the service.
    databaseben
    • Apple made this sort of automatic in the last Java patches

      The last Java patches will turn Java plugin and Java Web Start off. If you encounter an site/application that needs them, you will be prompted if you want it enabled. If you no longer use Java for an extended period and forget that you better disable it again (as most people would), then Java will be automatically disabled again on OS X.

      I don't think Apple has patented this method, so Microsoft and others might well just borrow it ;)
      danbi
  • So, the upshot of all this is.....

    [b][u]All[/b][/u] computer users should be informed, taught, cajoled, forced, or whatever, to update their machines to use the internet. And if they can't (older eqpt), then they have to buy a new machine or stay off the web. If they don't and become 'bots or spammers, their ISPs have a right to kick them off.

    Hmmmm....there otta be a law (against stupidity or irresponsibility) that all OS makers [b] MUST [/b] default their systems to automatic updates (including nagging if not) and if the OS is not updated by a short time period, then it shuts down so other users are not targetted. Sorry folks but security and safety need to be enforced on the web. Should be Web Police (shades of Tom Clancy).
    plandok@...
  • A bit late to the party...

    ... but since Both MS and Apple are now plagued by viruses, there is only on left. The good news is that Linux will run on both the PC and PPC hardware. So you can keep your favorite hardware and get the software for free. Win win!!!
    Johan Safari