Microsoft: Macs 'not safe from malware, attacks will increase'
Summary: Microsoft has discovered a new piece of Mac malware that exploits a three-year-old flaw in old versions of Office for Mac. The company recommends Mac users to keep installed software updated.
Microsoft researchers have analyzed a new piece of Mac malware that uses a multi-stage attack similar to typical Windows malware infection routines. In a post titled "An interesting case of Mac OSX malware" the Microsoft Malware Protection Center closed with this statement:
In conclusion, we can see that Mac OSX is not safe from malware. Statistically speaking, as this operating system gains in consumer usage, attacks on the platform will increase. Exploiting Mac OSX is not much different from other operating systems. Even though Mac OSX has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications.
So, what was the piece of code that caused Microsoft to write this? The malware in question uses a stack-based buffer overflow as an entry point for executing two-stage shellcode on a Mac that eventually leads to the installation of a bot that connects to a remote command-and-control (C&C) server. Thankfully, the exploit in this specific piece of malware only works on Snow Leopard and older versions of Mac OS X because the particular address it uses to write to isn't writable in Lion.
Here's the software giant's description:
Firstly, the vulnerability is a stack-based buffer overflow - the attack code could corrupt variables and return addresses located on the stack. As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well.
This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can't be written, so the exploit fails.
We can assume that this malware itself is targeting only Snow Leopard or lower versions of Mac OSX. That means the attacker had knowledge about the target environment beforehand. That includes the target operating system, application patch levels, etc.
This stage 1 shellcode leads to stage 2 shellcode, which is located in memory. The stage 2 shellcode is actually where the infection of the system occurs.
If you want to check for this particular malware, you'll want to know that it creates the following three files:
- /tmp/launch-hs
- /tmp/launch-hse
- /tmp/file.doc
Each of the files on the infected machine performs a separate function. The file called "launch-hse" is the end payload of the attack. It communicates with the C&C server controlled by the attacker, which can perform a number of actions on the infected machine, including deleting files, gathering information about the OS and hardware, as well as uninstalling itself from the Mac.
While this is all certainly interesting, I'm most concerned that this malware uses a three-year-old flaw in Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac. Here's the corresponding security bulletin: MS09-027 - Critical.
Why is this a big deal? For one, Microsoft patched this flaw 35 months ago. Secondly, this particular security hole was exploited by a different piece of Mac malware just a few weeks ago. That's worrying. Here's what I wrote at the time:
You'll need to update Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac. Thankfully, this security vulnerability is from June 2009, so if you keep your Microsoft software patched, you should be good to go.
The same advice applies. Unfortunately, it appears that many Mac users, just like many Windows users, don't keep their software up-to-date.
See also:
- Cross-platform malware exploits Java to attack PCs and Macs
- New Flashback variant silently infects Macs
- New version of Mac OS X Trojan exploits Word, not Java
- New targeted Mac OS X Trojan requires no user interaction
- Over 600,000 Macs infected with Flashback Trojan
- How big a security risk is Java? Can you really quit using it?
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
ironic issue about MS spriuking about Mac problems . . .
Yep
MAC users unable
Microsoft users
Tip: for Windows users
I wonder how many Windows users of Microsoft Office are still using Windows Update and are failing to apply security (and other) patches to Office.
Microsoft: Macs 'not safe from malware, attacks will increase'
Another passing the buck?
Users
Microsoft and Apple will soon employ the same techniques to combat
It's called an App Store business model patterned after Apple's recent iOS and Mac App stores whereby updates patches are regularly broadcasted to the end user. Purist hate the walled garden philosophy but it is the only way that effectively combats this type of malware threat.
As most everyone knows by now, when Windows 8 debuts, Microsoft will also employ their version of this walled garden app store policy. Apple will go one step further and incorporate their "Gate Keeper" security screening process that will work hand-in-hand with the App Store screening process.
I suppose everyone wishes an "open" app store patterned after Google's business model but that openness also invites malware threats of it's own.
I think the world consumers better get used to living inside a walled garden because Microsoft and Apple have both endorsed that business model. That leaves precious few users operating outside that business model.
"Purist hate the walled garden philosophy" -- walled garden is purist in
Re:'gate keeper'
Microsoft has long been its own equivalent of the 'Gate Keeper', called Authenticode. Correct me if I'm wrong, but applications from Windows Store must have a digital signature without which it simply will not run (as in Windows Phone).
Microsoft borrowed that too
Most of the new security architecture in Windows 8 is modeled after those of iOS.
What's pure about open?
But the whole point of this FUD storm is totally unsupported by facts. Security has to do with how well the software is written and maintained, and not just by how much attempt there is to circumvent it. To say otherwise is to, like Microsoft, absolve oneself of any responsibility to update it or write it well to begin with. I can see why MSFT has so consistently pushed their position on this, however!
Macs are not, under any stretch of the imagination, 'obscure' nor have they ever been in my lifetime. Hacks in through Office or Java don't equate to Apple having slacked off on this, certainly not approaching Microsoftian proportions of basically leaving all the ports on the system wide open and inviting abuse.
This just makes me want to ditch Office more than I did before.
Update your software
Don't twist what I said out of context
I never said you shouldn't keep your software, especially your MICROSOFT software up-to-date. It's not like it wasn't already swiss cheeze to begin with from a 'security' standpoint.
There have been more infections on the Mac via Office than from any other vector. Easily.
Ah
right
Get GNU/Linux or *BSD!
@eulampius
Right.
ALL computer systems have vulnerabilities. It's just a matter of finding them and exploiting them.
OK, I think I get it now.
microsoft said that?
Apple: Flash 'not safe from malware, attacks will increase'
RIM: android devices 'not safe from malware, attacks will increase'
Google: Windows phone 'not safe from malware, attacks will increase'
And the sad thing is...