According to fresh warnings by security vendor Intego, another Java vulnerability is attacking Macs that haven't been patched with Apple's Java for OS X Lion 2012-002 and Java for Mac OS X 10.6 Update 7, released earlier this month. Meanwhile, the security analysts warned that many copies of older versions of MS Word haven't been patched and are being infected.
Intego warned of SabPab, which can exploit the same Java vulnerability as the Flashback trojan.
SabPab is a backdoor that seeks to connect to remote command and control servers, presumably to harvest information on infected Macs. This malware installs in the user’s /Library/LaunchAgents folder, so no administrator password is needed. It places its code in the user’s /Library/Preferences folder (the com.apple.PubSabAgent.pfile).
As I mentioned in a previous post, older machines running pre-Snow Leopard OSes can disable Java in your web browser (in Safari it’s a Security preference), or turn it off altogether using the Java Preferences application, which can be found in the Utilities folder in Applications.
The Word vulnerability was patched by Microsoft several years ago, however, many Mac users haven't bothered to install the patches or have turned off the automated Microsoft updates installer. According to Integro, MS Word 2004 and 2008 are vulnerable, but Word 2011 is not. In addition, the older .DOC format is vulnerable, not the .DOCX format.
New variants of the SabPab backdoor that we recently wrote about have been found using Word documents to deliver the same payload as the first variant. This variant uses the same technique to install files on Macs as the Tibet.C malware that we discussed in March.
These two types of malware use Word documents in an interesting way. Each file has three parts: the first part is the exploit that takes advantage of a Word vulnerability. The second part is the malware that is then installed on Macs. And the third part is an actual Word document that displays when a users double-clicks the file.