Microsoft: Macs 'not safe from malware, attacks will increase'

Microsoft: Macs 'not safe from malware, attacks will increase'

Summary: Microsoft has discovered a new piece of Mac malware that exploits a three-year-old flaw in old versions of Office for Mac. The company recommends Mac users to keep installed software updated.


Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled "An interesting case of Mac OSX malware" the Microsoft Malware Protection Center closed with this statement:

In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.

So, what was the piece of code that caused Microsoft to write this? The malware in question uses a stack-based buffer overflow as an entry point for executing two-stage shellcode on a Mac that eventually leads to the installation of a bot that connects to a remote command-and-control (C&C) server. Thankfully, the exploit in this specific piece of malware only works on Snow Leopard and older versions of Mac OS X because the particular address it uses to write to isn't writable in Lion.

Here's the software giant's description:

Firstly, the vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack. As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well.

This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can't be written, so the exploit fails.

We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.

This stage 1 shellcode leads to stage 2 shellcode, which is located in memory. The stage 2 shellcode is actually where the infection of the system occurs.

If you want to check for this particular malware, you'll want to know that it creates the following three files:

  • /tmp/launch-hs
  • /tmp/launch-hse
  • /tmp/file.doc

Each of the files on the infected machine performs a separate function. The file called "launch-hse" is the end payload of the attack. It communicates with the C&C server controlled by the attacker, which can perform a number of actions on the infected machine, including deleting files, gathering information about the OS and hardware, as well as uninstalling itself from the Mac.

While this is all certainly interesting, I'm most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here's the corresponding security bulletin: MS09-027 - Critical.

Why is this a big deal? For one, Microsoft patched this flaw 35 months ago. Secondly, this particular security hole was exploited by a different piece of Mac malware just a few weeks ago. That's worrying. Here's what I wrote at the time:

You'll need to update Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac. Thankfully, this security vulnerability is from June 2009, so if you keep your Microsoft software patched, you should be good to go.

The same advice applies. Unfortunately, it appears that many Mac users, just like many Windows users, don't keep their software up-to-date.

See also:

Topics: Malware, Apple, Hardware, Microsoft, Operating Systems, Security, Software

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • ironic issue about MS spriuking about Mac problems . . .

    . . . the irony being that MS software is one of the major problems, not the OS.
    • Yep

      So basically it doesn't matter what platform you use. If you use a MS product, it will have vulnerabilities that are easy to exploit.
    • MAC users unable

      to patch their software, sounds like a user issue to me, MicroSoft released the patch 35 months ago but Mac users are to lazy or so gullible they believe the "Macs don't get viruses" line that jobs fed them.
      • Microsoft users

        Let's be more correct: those are Microsoft software users. It is Microsoft's responsibility to deliver the patches to them promptly. It is not as if Microsoft Office for Macintosh is an free product.
    • Tip: for Windows users

      Make sure to switch from Windows Update to Microsoft Update. This way you can keep Microsoft Office up-to-date on patches more easily.

      I wonder how many Windows users of Microsoft Office are still using Windows Update and are failing to apply security (and other) patches to Office.
      Rabid Howler Monkey
  • Microsoft: Macs 'not safe from malware, attacks will increase'

    Who is at fault? Microsoft, Apple, Users.

    Another passing the buck?
    • Users

      are at fault, period. They need to patch their crap and they are too lazy to do it.
  • Microsoft and Apple will soon employ the same techniques to combat

    malware threats of this nature. That is, malware that attacks unpatched software program code. The "purists" will not like the solution but both companies recognize the practical effectiveness of this action plan.

    It's called an App Store business model patterned after Apple's recent iOS and Mac App stores whereby updates patches are regularly broadcasted to the end user. Purist hate the walled garden philosophy but it is the only way that effectively combats this type of malware threat.

    As most everyone knows by now, when Windows 8 debuts, Microsoft will also employ their version of this walled garden app store policy. Apple will go one step further and incorporate their "Gate Keeper" security screening process that will work hand-in-hand with the App Store screening process.

    I suppose everyone wishes an "open" app store patterned after Google's business model but that openness also invites malware threats of it's own.

    I think the world consumers better get used to living inside a walled garden because Microsoft and Apple have both endorsed that business model. That leaves precious few users operating outside that business model.
    • "Purist hate the walled garden philosophy" -- walled garden is purist in

      ... its own way. ;))
    • Re:'gate keeper'

      [quote]Apple will go one step further and incorporate their "Gate Keeper" security screening process that will work hand-in-hand with the App Store screening process.[/quote]
      Microsoft has long been its own equivalent of the 'Gate Keeper', called Authenticode. Correct me if I'm wrong, but applications from Windows Store must have a digital signature without which it simply will not run (as in Windows Phone).
      • Microsoft borrowed that too

        The Apple's App Store predates Windows Phone and it's App Store.

        Most of the new security architecture in Windows 8 is modeled after those of iOS.
    • What's pure about open?

      That's just mixing metaphors. 'Pure' if anything, would be consistent, and not 'open' to just anything. When you through it all in and press blend, that isn't 'pure'. Selecting the best is MUCH more like 'pure' if you want to mix the meanings of these words.

      But the whole point of this FUD storm is totally unsupported by facts. Security has to do with how well the software is written and maintained, and not just by how much attempt there is to circumvent it. To say otherwise is to, like Microsoft, absolve oneself of any responsibility to update it or write it well to begin with. I can see why MSFT has so consistently pushed their position on this, however!

      Macs are not, under any stretch of the imagination, 'obscure' nor have they ever been in my lifetime. Hacks in through Office or Java don't equate to Apple having slacked off on this, certainly not approaching Microsoftian proportions of basically leaving all the ports on the system wide open and inviting abuse.

      This just makes me want to ditch Office more than I did before.
      • Update your software

        Give me a break, MS patched this 35 months ago. This article is not a slam on Apple, but Apple users. The fact is that no OS or software package is impervious to attack. So when a vulnerability is discovered, and a patch is released, update your software. Why all the drama, mama?
      • Don't twist what I said out of context

        Sure, they patched it, I am referring to their lackadaisical attitude (and their cozy relationship with all the virus companies, especially Symantec).

        I never said you shouldn't keep your software, especially your MICROSOFT software up-to-date. It's not like it wasn't already swiss cheeze to begin with from a 'security' standpoint.

        There have been more infections on the Mac via Office than from any other vector. Easily.
      • Ah

        So you were just spewing more the same anti-Microsoft rhetoric. 'Nuff said.
      • right

        Exactly, their attitude stinks! I am not saying that if anyone should accuse on (in)security, the company with the ten years overwhelmed by malware should be the last to open its mouth in the first place. No, the thing is, that MS takes an example of its own bloat, and has MacOSX responsible due its popularity? Yes MS and the users are to be blamed. After all, don't allow MS sh**t in you machine and don't buy from Apple!
        Get GNU/Linux or *BSD!
      • @eulampius

        Riiight. 'Cause Linux has never had a bug, nor an exploit that caused half the internet to go down, right? And LinuxMobile (aka Android) app marketplaces aren't plagued by malware and spyware infested apps, right?


        ALL computer systems have vulnerabilities. It's just a matter of finding them and exploiting them.
      • OK, I think I get it now.

        @bmonsterman - thanks for clearing up the confusion. SO it is perfectly OK for you and all your cronies to spew anti-Apple rhetoric, but it is apparently unacceptable for someone to dislike Microsoft products? Hmm, yes, that seem quite fair!
  • microsoft said that?

    other news today
    Apple: Flash 'not safe from malware, attacks will increase'

    RIM: android devices 'not safe from malware, attacks will increase'

    Google: Windows phone 'not safe from malware, attacks will increase'
    • And the sad thing is...

      ...they are all correct.
      Michael Kelly