Wednesday, May 02, 2012

New Mac Malware Targets Microsoft Office

Microsoft is reporting that security researchers have discovered a new piece of malware that's targeting Macs running OS X Snow Leopard and an Microsoft Office.

"As we analyzed the malware, we found that the malware author managed to corrupt a local variable and used that corrupted variable to deploy 'stage 1' shellcode to a designated area. This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well," Jeong Wook Oh of the Microsoft Malware Protection Center, said in a blog post on the malware.

The vulnerability that the malware exploits is actually a three-year-old flaw that affects Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and the Open XML File Format Converter for Mac. The flaw was patched by Microsoft in June 2009 however if user failed to apply the patch their system can become infect. Microsoft's researcher found that the exploit in this specific piece of malware doesn't work on versions of OS X newer that Snow Leopard because the particular address it uses to write to isn't writable in OS X Lion. So users of the newer releases of Apple operating system should be safe. To be on the safe side however Microsoft is recommending that users using Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac or Open XML File Format Converter for Mac, be sure to update using the latest product updates.

"Exploiting Mac OS X is not much different from other operating systems," Oh wrote. "Even though Mac OS X has introduced many mitigation technologies to reduce risk, your protection against security vulnerabilities has a direct correlation with updating installed applications."

For this specific vulnerability, you can visit the Microsoft Security Bulletin MS09-027 page and download the update.

No comments:

Post a Comment

All comments will be moderate for content, please be patient as your comment will appear as soon as it has been reviewed.

Thank you