New version of Mac OS X Trojan exploits Word, not Java

Just a few days ago, a new Mac OS X Trojan was spotted in the wild that exploited Java vulnerabilities and required no user interaction to infect your Apple Mac, just like the Flashback Trojan. Kaspersky referred to it as "Backdoor.OSX.SabPub.a" while Sophos called it at "SX/Sabpab-A." Now, both security firms have confirmed a different variant of this new Trojan that infects Macs by exploiting Microsoft Word, not Java.

Sophos detects the malicious Word documents as Troj/DocOSXDr-A and points to the following Microsoft Security Bulletin: MS09-027. Kaspersky meanwhile points to this security bulletin for the same Microsoft Word security hole: CVE-2009-0563.

The new version of the Trojan uses malformed Word documents to open a backdoor for remote hackers to steal information or install further code. Just like many recent variants of Mac-specific Trojans, OS X users may be caught off guard as there is no prompt to enter your username or password when the malicious software installs itself onto your Mac.

On the other hand, while the first discovered version of this Trojan requires no user interaction, this second one does. Instead of just browsing the Web and getting infected, Mac users have to actually download and open the Word document for this second version to work.

Here's what I wrote in my last article:

The good news is this means that this Trojan is not believed to be anything as widespread as Flashback, and if you've downloaded and installed the latest software updates from Apple that patch the Java vulnerabilities (or disabled Java), you're safe. The bad news is these Trojans will just keep coming, likely at an increasing rate. This Trojan further underlines the importance of protecting Macs against malware with an updated anti-virus program as well as the latest security updates.

The first part no longer applies. Updating or uninstalling Java will not do you any good. Instead, you'll need to update Microsoft Office 2004 for Mac and Microsoft Office 2008 for Mac. Thankfully, this security vulnerability is from June 2009, so if you keep your Microsoft software patched, you should be good to go. The last parts still apply.

See also:

• New targeted Mac OS X Trojan requires no user interaction
• Apple releases Flashback removal tool, infections drop to 270,000
• Over 600,000 Macs infected with Flashback Trojan
• Has Flashback malware made you consider installing antivirus on your Mac?
• The scariest thing about the Flashback trojan: I have no idea how to fight it
• How big a security risk is Java? Can you really quit using it?