Office flaw used in OS X-targeted attack

Security researchers at Microsoft have discovered new malware that exploits an old bug in Microsoft Office; but rather than attacking PCs, it actually targets Mac OS X machines.

(Nom Nom Apples image by Martin Cathrae, CC BY-SA 2.0)

The vulnerability, which was ranked as critical when it was discovered and patched in 2009, allows attackers to execute remote code — essentially allowing them to take control of a machine. According to threat researcher Jeong Wook (Matt) Oh, new malware utilising the vulnerability has likely surfaced now, because not all machines are kept up to date, indicating that malware authors are taking advantage of users' reluctance to patch.

The malware is ranked as severe by Microsoft, and has called it MasOS-X/MS09-027.A, using the naming convention of its security update. Due to the way that the exploit code is loaded into memory, and how OS X Lion protects certain segments of memory, the exploit fails under Lion. But Snow Leopard and earlier versions do not protect the area of memory that the malware targets, and are also vulnerable if Office for Mac is not patched.

Oh's analysis of the malware revealed that the main payload is a Mac executable that communicates with a command-and-control (C&C) server. Oh wrote on the Microsoft Malware Protection Centre Threat Research and Response Blog that the function names within the code for the C&C client suggest that the malware connects to the server, then parses commands, uploads files or runs commands. Function names include RunFile, GetSystemInfo and DeleteFileAndDirAtPath; which indicates the level of control that the attacker has.

Oh said that the RunFile function provides evidence that it was written specifically for OS X. He also indicated that the authors had a particular target group in mind for the malware, since it seemed they knew their target would not be running Lion, and had made assumptions on what patches would be running, given that fact.