New version of Mac OS X Trojan exploits Word, not Java

New version of Mac OS X Trojan exploits Word, not Java

Summary: A second variant of the Mac OS X Trojan referred to as Backdoor.OSX.SabPub.a or SX/Sabpab-A is exploiting a Microsoft Word security hole, not the usual Java vulnerabilities used before.


Just a few days ago, a new Mac OS X Trojan was spotted in the wild that exploited Java vulnerabilities and required no user interaction to infect your Apple Mac, just like the Flashback Trojan. Kaspersky referred to it as "Backdoor.OSX.SabPub.a" while Sophos called it at "SX/Sabpab-A." Now, both security firms have confirmed a different variant of this new Trojan that infects Macs by exploiting Microsoft Word, not Java.

Sophos detects the malicious Word documents as Troj/DocOSXDr-A and points to the following Microsoft Security Bulletin: MS09-027. Kaspersky meanwhile points to this security bulletin for the same Microsoft Word security hole: CVE-2009-0563.

The new version of the Trojan uses malformed Word documents to open a backdoor for remote hackers to steal information or install further code. Just like many recent variants of Mac-specific Trojans, OS X users may be caught off guard as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac.

On the other hand, while the first discovered version of this Trojan requires no user interaction, this second one does. Instead of just browsing the Web and getting infected, Mac users have to actually download and open the Word document for this second version to work.

Here's what I wrote in my last article:

The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you've downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you're safe. The bad news is these Trojans will just keep coming, likely at an increasing rate. This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

The first part no longer applies. Updating or uninstalling Java will not do you any good. Instead, you'll need to update Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac. Thankfully, this security vulnerability is from June 2009, so if you keep your Microsoft software patched, you should be good to go. The last parts still apply.

See also:

Topics: Malware, Apple, Hardware, Microsoft, Operating Systems, Security, Software

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • OSX doesn't need AV software

    It needs a good sandbox technology like Linux LSM.
    Neither OSX or Windows has it.

    Linux with LSM: The safest operating system on the Planet.

    I stake my reputation on it
    Dietrich T. Schmitz *Your
    • It may be better but it is controversial even in security circles

      I've seen reviews of this. Even security researchers are not all for it. It's protection is incomplete and may even be leveraged against the computer in area of rootkit. So far, I haven't seen a security system yet that's fool proof. And that is why a layered approach and some good old caution works the best. Every time I've seen people put up a challenge to attack an exposed PC daring somebody to pwn it - it fails, usually spectacularly and embarrassingly.
    • You never answer the questions related to LSM

      1) Is it activated by default ?
      2) Can my grandmother start it without opening the command line ?
      3) If LSM runs in kernel mode, who is responsible for the exploits discovered in LSM ?
      • Why give in to Dietrich's FUD?

        Dietrich is just spreading FUD. Both Microsoft and Apple have sandboxing technologies equivalent to LSM that are appropriate for their kernel technology. Dietrich fails to understand these technologies because he fails to understand the differences between a hybrid and a monolithic kernel. Since he does not understand the fundamentals, how is he equipped to answer the rest of your questions?

        The only thing that I can say for certainty is that Dietrich will hijack another thread with his LSM rantings. I stake my reputation on it.
        Your Non Advocate
      • tell your grandma, she'll like GNU/Linux

        1) Yes (apparmor) and it is highly configurable
        2) yes, she can, as many other non-power users, moreover, to install any software your grandmother has to open a a package manager, select the package in the checkbox and press apply --> it will be installed from a secure repository, without endangering security unlike on Windows (or Mac OSX) where users have to download and install from potentially insecure sources. Don't forget to add to your grandma, that updating and upgrading is very important, on most Linux distros (and BSD) it CAN be done with much less pain, unlike the status quo on MS and Apple OS, to say nothing about frequent Windows reboots.
        3) apparmor is supported by a big community and Novell
    • "I stake my reputation on it"

      Go one here really cares about you opinions anyway.
      • If it really worked--or if users of other os's have constant issues

        ..then he wouldnt be on every talkback desperately trying to sell this.

        Why doesnt Ubuntu market this if it is so great? No, instead, Shutty and DJS just talk and talk and talk.
    • Dietrich

      You have not answered my questions about if LSM would have helped with the issues that The Sony Network,, and The Linux Foundation experienced. What is it with you and these unsolicited - almost spam like - posts extolling to virtues of Linux? When are you going to figure out that Linux us not for everyone?
      • Well said

        well said indeed
      • What went wrong

        Go ahead give the unknown what went wrong with (Sony,, and The Linux Foundation)
      • @nonfanboy

        Hey, aren't you spreading FUD about Sony Network hack? You don't know what had happened? FYI, It was done through an SQL injection. Usernames along with passwords were kept as plain text to make it worse. Lulsec never hijacked the site, installed virus nor a trojan. What does it have to do with Linux?
    • Both osx and Windows have sandboxing

      Vista was the first Windows version to feature MIC, which is essentially the same thing as SELLinux is providing. Osx has a sandbox profile system since SL.

      By the way, Linux isn't the safest os on the planet as witnessed by malware and privacy king Android, and by Apache which is responsible for millions of zombie web servers, all running Linux. Did you hear about the latest flaw in Samba by the way ?
      • got any proof?

        Wow, you got any evidence about millions of Apache+Linux servers bots? Why don't you provide some supporting links?
        As far as the Samba flaw is conc., you got any evidence of any exploits in the wild?
        Android security problem is due to the Windows braindama... oriented peoples' mentality: not to check the permissions of an app prior to installation. On the daily basis, a Windows user has to deal with a risk of installing a malwared ridden software. The permission system on Windows is rudimentary, and rarely used by apps writers.
    • Re: The safest operating system on the Planet. I stake my reputation...

      I believe the designer of the [i]Titanic[/i] said something similar: "Unsinkable. I stake my reputation on it."
      • No

        It was the local papers that called Titanic virtually unsinkable, because of the advanced (for the time) safety systems. Granted, the designer and owners of the cruise line didn't do anything to counter the comments. Who would expect them to?

        But no system is foolproof and and arrogance cost a lot of lives that night in April. Brittle steel, trying to avoid the iceberg when it was too close and a host of other tragic events sent the ship to the bottom. I don't care how safe an OS is claimed to be, any protection fashioned by the mind of man (or woman) can be defeated by another mind.
      • No, no, no...

        The manufacturer never said Titanic was 'unsinkable'. The British press said that. Just because people are misinformed about computers on this site doesn't mean they should be ignorant about everything.
  • This never seems to end does it?

    They just keep making variations and more and more malware for MacOS. Sounds like MacOS is in need of an Antivirus/Anti-malware suite that that updates itself at least once a day.
    • Uhhhh already there

      It has a built in behind the scenes anti malware program, but Apple is sometimes slow on that. There are many 3rd party programs for this too
      • Many 3rd Party Programs

        I know they exist and Apple does an OK of patching those holes but I was trying to illustrate that maybe MacOS users need to come out of under their rocks and actually use a 3rd party program to help protect themselves.
    • MacOS cannot get infected, can it?

      I thought MacOS cannot get viruses? I thought my Apple gear was immune to that sort of thing.

      Now what do I do?????