MacControl Trojan Being Used In Targeted Attacks Against OS X Users

Trailrunner7 writes "Welcome to the age of targeted attacks, Mac users. Perhaps having grown tired of owning Windows machines around the world for the last few years, attackers have now taken up the challenge of going after Macs with the same kind of targeted attack tactics that have served them so well in the Windows world. Researchers have found a new attack that employs two separate pieces of malware, a malicious Word document and some techniques for maintaining persistence on compromised machines, and the campaign is specifically targeted at Mac users. The command-and-control domain involved in the attack is located in China and the attack exploits a three-year-old vulnerability in the way that Office for Mac handles certain Word files, according to researchers at AlienVault, who discovered and analyzed the attacks."

Microsoft (:

Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

Re:Microsoft (:

[Grishnakh]

Since when was the US Government in the business of doing things for the good of humanity?

Re:Microsoft (:

[recoiledsnake]

Now how cool is that. A new threat is found for the Mac platform and it's in a Microsoft product of course.
It's an improvement on the previous round, though. Last time it was about malware that required you to actually install it :D

However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.). There is no way to secure an OS from application exploits short of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

Re:Microsoft (:

[Nerdfest]

An iOS style lock-down wouldn't help. It could just as easily been another piece of software, they tend to pick those that are widely deployed.

Re:Microsoft (:

[mspohr]

However, it's an interesting counter-point to the commenters who regularly comment(and get modded up to 11) "How about MS fix security in Windows instead of taking down botnets/shipping antivirus etc.).

We can now say "How about MS fix security in Windows AND OFFICE" in our rants.

Re:Microsoft (:

[mjwx]

There is no way to secure an OS from application exploits including of iOS style lockdown, which these very commenters would slag as "TAKING AWAY MY FREEEDOMZZZ". Sorry, but blaming Windows holes has become passe, especially after malware for OS X and Android(run on a Linux kernel which we are told is secure compared to Windows) has come out.

Fixed that for you.

Remember that IOS gets exploited regularly, including remote exploits like JailbreakMe.com.

Re:Microsoft (:

[segfault7375]

Whistler: I want peace on earth and goodwill toward men.
Bernard Abbott: We are the United States Government! We don't do that sort of thing.
Martin Bishop: You're just gonna have to try.
Bernard Abbott: All right, I'll see what I can do.
Whistler: Thank you very much. That's all I ask.

Re:Microsoft (:

[am+2k]

The new "gatekeeper" feature would be able to lock down MS Word and the worst that could happen is your documents folder is wiped. But since MS Word would never appear on the Mac App Store users would have installed it with unsigned access. Which would only affect their home directory unless they run as Admin.

Uh, I don't think you know what you're talking about. Gatekeeper is a new thing in 10.8, which only allows stuff that's signed either with an App Store certificate or a Mac developer certificate. It doesn't handle file access at all.

Sandboxing (new in 10.7) limits file (and other device) access to only certain areas, but the documents folder is usually off limits.

If Word would use a Mac developer certificate, starting in 10.8 Apple could pull the kill switch and the application would not launch on any Mac any more. However, that's quite a drastic step and would probably not be done in this case for such a widely-deployed piece of software.

Re:Microsoft (:

[omfgnosis]

Every time it's in their perceived interests, or the perceived interests of the state actor regardless of established policy. In other words, once in a while.

Re:Microsoft (:

[omfgnosis]

Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?

Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.

Re:Microsoft (:

[tlhIngan]

If Word would use a Mac developer certificate, starting in 10.8 Apple could pull the kill switch and the application would not launch on any Mac any more. However, that's quite a drastic step and would probably not be done in this case for such a widely-deployed piece of software.

Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photoshop and Microsoft Office. The last setting is basically allow all apps. Even if Apple revokes Microsoft's certificate, the app can always be run in that mode.

Re:Microsoft (:

[niktemadur]

A new threat is found for the Mac platform and it's in a Microsoft product of course.

What happens when the malicious Word file is opened in, say, Open Office?

Re:Microsoft (:

[mjwx]

Since I don't own an iOS device (nor any other "mobile" device [since my laptop isn't mobile apparently]), can you or any other reader satisfy a curiosity of mine?

Obviously the jailbreaks use a number of vulnerable exploits to gain access; do they also board up the vulnerabilities when they're done? It seems to me that I would want to jailbreak on that basis alone if so, and refuse to use the platform if a known drive-by exploit is out in the wild otherwise.

I dont own any iDevices either, but I'd presume not. If anything they add new vulnerabilities such as an SSH server with a default password (Alpine2 IIRC)

Re:Microsoft (:

[am+2k]

Incorrect. Gatekeeper has 3 security settings. Most secure is "App Store Only" requiring Apple vetting the app. Default is "App Store and Mac Developer Certificate" which allows App Store apps, as well as 3rd party apps like Photoshop and Microsoft Office. The last setting is basically allow all apps.

Technically yes, but the second one has been announced to be the default, and you can be pretty sure that 99% of all users won't change any default.

Even if Apple revokes Microsoft's certificate, the app can always be run in that mode.

I'm not sure about that. The system might refuse to run an app whose certificate has been revoked even in that mode, since it can differentiate between binaries without a signature and binaries with a revoked signature.

Re:Microsoft (:

[Shifty0x88]

Sneakers! Great movie!!!!

Re:Microsoft (:

[Shifty0x88]

Well I believe the OS is suppose to have safeguards so that userland apps cannot escalate it's privileges, but as you said no OS is absolutely secure, we just have to patch them as we find them. And finding them usually means a lot of users get hit with some new piece of malware.

Re:Microsoft (:

[nine-times]

Sorry, but blaming Windows holes has become passe

Maybe it's fallen out of style, but even in Android and OSX, many of the exploits require you actively install something instead of "whoops, I visited a website." In reality, though, we should be blaming application developers for a fair amount of the problem. The exploits are often in PDF/Flash, MS Office, the web browser, etc.

On the other hand, even if application developers are to blame, it still pushes some of the blame back onto the OS vendors. Because Windows doesn't have a centralized update utility, each application vendor gets their own little updater. So the user logs in, and they have 7 different Windows pop up that say, "Adobe Reader needs to be updated" and "Adobe Flash needs to be updated" and "Windows needs to be updated" and "Java needs to be updated". Bla bla bla. So many prompts. This leads to one of 2 things-- either (a) the user ignores them, which leads to unpatched vulnerabilities, or (b) the user just clicks "OK" on whatever pops up, including the window that says, "Do you want to install a virus?"

Some people want to say it's Microsoft's fault, and other people want to say it's not Microsoft's fault. The truth is, it's not *all* Microsoft's fault, but Microsoft still stinks.

Re:Microsoft (:

[Vokkyt]

Yes and no. The PDF exploits that were used in the past were patched by the jailbreak community. There are cydia packages which closed it on your newly jailbroken device, the assumption being you had your SHSH blobs backed up for a restore to a vulnerable vanilla firmware should you need it. I'll admit it's been awhile since I read up on it, but I think that all the Jailbreakme's used a userland exploit to Jailbreak, and then recommended patching immediately, less the exploit be used against them.

Re:Microsoft (:

[angel'o'sphere]

Why do you quote your parent,
and rant like mad,
and fail to see: it is not Mac OS X, that fails again, but MS WÃrd!
It is still a *windows* hole because the stupid MS guys never gonna get it.

Re:Microsoft (:

[angel'o'sphere]

Mac users don't "run as admin".
In fact they can't.
Mac users can give themselves an "is admin" flag.
That only means they are in the unix group "wheel" and are registered as "sudoers".
Every process a Mac user starts runs under his user id, not as admin or root. To do so, the process has to ask for permission which requires a root/admin password.

Re:Microsoft (:

[angel'o'sphere]

Technically yes, but the second one has been announced to be the default, and you can be pretty sure that 99% of all users won't change any default.

Empahsize mine.
I guess you are big(ly) mistaken here.
Mac users are to a great extend professionals. Ofc, they change the defaults.
In our days you have to do that at any new OS upgrade anyway as most users don't like the new stuff but prefer to the old/previous behaviour.

LoL

[Architect_sasyr]

Apple exploit found in the wild... targets Microsoft product running on Apple OS.

I like the persistence bit though - use the standard plist files to maintain persistence just like any normal piece of code (like maintaining persistence by running a Windows Service).

Re:LoL

[Architect_sasyr]

I spend my days working as a mac tech, so no, I really do not. I am, however, still highly amused that it happens this way. In much the same fashion as I am amused when wine is used to exploit a linux box.

Re:LoL

[Grishnakh]

Apparently, you're wrong about OS X: someone does want to target it, as seen in the article. And they picked the lowest-hanging fruit, which of course is Microsoft applications running on that platform.

I'm sure there's plenty of other exploits in OS X, but why bother finding those when you can just take advantage of yet another security hole in MS products?

Re:LoL

[lightknight]

That's quite alright. We find things that target Safari on Windows all the time, so I guess it's more of the same.

Re:LoL

[Bert64]

AmigaOS is a single user os with virtually none of the security features present in modern systems, if anyone put the effort in to target it i doubt it would stand up very well.

Linux doesn't have a small userbase by any means, it just has a small userbase on the desktop. In other markets, linux is actually huge.
Similarly while OSX may have a relatively small marketshare, it comes bundled with software which is very widely used such as Apache.

Re:LoL

[sg_oneill]

I spend my days working as a mac tech, so no, I really do not. I am, however, still highly amused that it happens this way. In much the same fashion as I am amused when wine is used to exploit a linux box.

You may laugh, but its truer than you think. Many many moons ago I was admining a small network of linux desktops for students at the local university. Management , non technnical of course, demanded that internet explorer be installed on them. After protesting loudly and losing the argument, I ended up deploying ie6 across the network via wine. It took aproximately 3 days before they became infested.

In a strange way, I took that as a surprising confirmation of wine's compatibility.

In the end I replaced the Mozilla browsers icons with E icons and the office twonks where happy. God I hate tech support

Re:LoL

[otuz]

Amiga actually had a lot of viruses. It was the #1 virus platform before Windows 95 (and its successors). Almost all of them were boot block viruses, which spread via bootable copied game floppies from one machine to the next, not the remote-installed stuff.

Re:LoL

[exomondo]

Apple exploit found in the wild... targets Microsoft product running on Apple OS.

From TFA:
An attacker who successfully exploits this vulnerability could take complete control of an affected system.
http://labs.alienvault.com/labs/index.php/2012/ms-office-exploit-that-targets-macos-x-seen-in-the-wild-delivers-mac-control-rat/

Is that an exaggerated statement or does it indicate some kind of privilege escalation bug in OSX?

Re:LoL

[Grishnakh]

I don't think there's any desktop OS that does such a thing. As long as processes have access to the data owned by that user, there's nothing preventing them from at least mucking with your data. If the user is running as root, then the process can modify system data and break in that way, getting full access to everything on the system. I don't believe Mac OSX has a root/user divide the way most Linux distros do, nor does Windows on the desktop (it frequently does in corporate environments though).

Re:LoL

[Architect_sasyr]

Based on a few of the indicators in the article, I couldn't say for absolute certainty. The indicator:

- Copies itself into /Library/launched

implies administrative permissions of some level (you can't just write to /Library/ unless the systems permissions are shot to hell. Likewise: /Applications/Automator.app/Contents/MacOS/DockLight should not be writable to a non-authenticated user (indeed, it is NOT writable on my laptop - admin user, but no authentication etc.). The article has a few typo's in it which I originally thought may have accounted for /Library/launched (perhaps they meant ~/Library/launched). Certainly the Microsoft KB on this vulnerability doesn't imply administrative rights granted in a one shot.

That said, any package downloaded that is NOT codesigned can be manipulated to include an install-as-administrator payload in the post install hooks - really once you have local user access it is just a manner of time. True everywhere.

Re:LoL

[Megane]

In the end I replaced the Mozilla browsers icons with E icons and the office twonks where happy. God I hate lusers

Fixed that for you.

Re:LoL

[__aaltlg1547]

A trojan works by tricking you into downloading and installing the malware. MS Office was probably picked not because of any inherent vulnerability but because

1. It's widely deployed and

2. People expect their computer to tell them that Microsoft Office wants updating. Microsoft products always want updating.

Adobe products would be an even better choice. Click on a link and up pops a window that tells you you need to install the latest Flash player. The average user doesn't think twice about this because Adobe has trained them to expect to see their browser ask them to download a new Flash player.

Re:LoL

[omfgnosis]

I still don't understand this attitude, but I can count myself (a Mac user) lucky as a consequence. If I were trying to profit from exploiting home PCs, I would target the Mac first and foremost, as the userbase is substantial (millions), demographically wealthy (compared to the whole market) and typically security-ignorant. That's a perfect storm for exploiting for profit, and I'm frankly astonished it hasn't happened on a large scale yet.

Re:LoL

[omfgnosis]

As a web developer who's tried to use WINE to work with IE, and specifically IE6, I can say with confidence that the compatibility you experienced ends before accurately (per IE6) rendering websites. If only Trident as a whole were as portable as its security flaws.

Re:LoL

[omfgnosis]

OS X definitely has a root/user divide, but the default user still has "administrator" privileges which are far more permissive than they should be. The fact is, it's possible to devise a more hardened security regime and maintain home user usability, but it's very hard and would require a kind of cooperation from developers that even Apple probably can't command.

Probably at this point the only way it'll ever happen is for a security-oriented OS to inadvertently take the market by storm (killer app or whathaveyou), and I'm pretty sure that ship sailed a decade or two ago.

Re:LoL

[fishbot]

After protesting loudly and losing the argument, I ended up deploying ie6 across the network via wine. It took aproximately 3 days before they became infested.

Isn't cleaning them up just a case of killing all the wine-server processes then deleting and replacing the contents of the fake C: drive?

Re:LoL

[thejynxed]

It could just be similar to the common way it is done on Windows machines - the basic malware package installs itself locally in userspace using user permissions (unless the current account has System or Admin, in which case all bets are already off), and then waits for a process or the user to invoke admin/system level permissions for some action, and pounces upon that to hook itself deeper into the system, thus allowing more remote malicious code to be downloaded and installed to the machine.

Re:LoL

[Shifty0x88]

I believe we are seeing this rise in Apple malware because more and more people are buying Apple products, and if you were around 10 years ago, you are right no one would target Apple because no one owned them(companies but not everyone and your grandmother), but now everyone seems to get one and need the next new one.
Great part is (for malware makers, that is) a lot of these people buy them because they DO think they are impervious to malware, when in reality no one has really tested them as being safe or not. This is all because a lot of the ones that buy Apple have no idea how to use a computer let alone admin it.

Re:LoL

[Shifty0x88]

Besides how else is a company like: Vupen Security going to make money by selling exploits if we all used security-oriented OSs.

I mean jeez, you wanna take money from this guy's mouth? Why would you wanna do that? LoL

Re:LoL

[Shifty0x88]

I still don't understand this attitude, but I can count myself (a Mac user) lucky as a consequence. If I were trying to profit from exploiting home PCs, I would target the Mac first and foremost, as the userbase is substantial (millions), demographically wealthy (compared to the whole market) and typically security-ignorant. That's a perfect storm for exploiting for profit, and I'm frankly astonished it hasn't happened on a large scale yet.

DING DING DING DING!!! WE HAVE A WINNER!!

However for all of those people, like yourself that bought an Apple product in what the last 5 years they have been getting big, Windows users still outnumber you and when you are trying to get a bot net to steal information, the numbers matter more then how easy it is to get passed the user.

And let's face it there are dumb users on any platform (Win or Apple)

Re:LoL

[gstrickler]

Yes, but no one uses Safari on Windows.

Many of us Mac users are now avoiding newer versions of Safari on Mac OS X as well. Webkit is a good engine, but Safari has issues, and they're getting worse, not better.

Re:LoL

[omfgnosis]

But numbers of people aren't the only numbers. The reason I pointed out relative wealth was because not everyone's identity is equally valuable to a thief.

Re:LoL

[cpu6502]

You don't really believe OS X is impervious to viruses do you? If they can hack Android linux and Apple iOS to install malware, then they can do the same to their big brothers on the desktop.

I guess I could mimic the Apple fans and proclaim, "My Commodore Amiga's OS 4 is awesome. It has no viruses!" Of course that's only because nobody wants to target such a small userbase. Ditto linux. Ditto OS X.

Re:LoL

[Travelsonic]

Mimic SOME apple fans, right? If you believe that attitude represents everyone, I've got a bridge to seel you.

Re:LoL

[Travelsonic]

*sell, not seel - damn typos :P

Re:LoL

[Shifty0x88]

Ah true, good point.

I just figured they would want to just sit on your computer and "sip" money out of your account as not to arouse your suspicions that you had malware, so I figured numbers are better then a couple of rich people. But you may be right, maybe they just charge 10,000 bucks from the rich and they wouldn't notice and the not as wealthy people only get 1000 bucks taken. (Numbers are of course fake)

Sounds like a vulnerability in a Microsoft product

Another reason to use Open Office.

I guess that's what you get for using Microsoft

[Grishnakh]

Interesting that this Mac exploit only applies to Mac users who use Microsoft Word. Not saying that Macs are ultra-secure, but maybe the malware authors are just going after the low-hanging fruit, which is Microsoft software, regardless of what platform it's installed on.

Maybe this is how MS will finally put to rest the notion that Linux is more secure than Windows: they'll release MS Office For Linux, which will then open Linux users up to the same level of insecurity Windows users have had forever.

Re:I guess that's what you get for using Microsoft

[bmo]

Interesting that this Mac exploit only applies to Mac users who use Microsoft Word

When you include a scripting language in your document spec, expect people to use it.

Good people and bad people.

--
BMO

Re:I guess that's what you get for using Microsoft

[v1]

Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

Re:I guess that's what you get for using Microsoft

[sribe]

Damn. I have mod points, but there is no "insightful AND funny" +1.

Re:I guess that's what you get for using Microsoft

[vux984]

Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.

Re:I guess that's what you get for using Microsoft

[MiG82au]

Stupid? Did you misspell useful? No, of course not, but there's a silver lining in every cloud; my company makes heavy use of probably every dangerous VBA feature for our internal automation.

Re:I guess that's what you get for using Microsoft

[Bert64]

The scripting language is one of the least concerns...
The biggest problem is the complexity and age of the file formats. There is plenty of complexity, and lots of crufty old code waiting to be exploited, while on the other hand the format is poorly documented which makes it hard to validate files against a known good spec.

Re:I guess that's what you get for using Microsoft

[tmosley]

I love it when something that is inherently vulnerable is enabled by default when 0.0001% of users actually use it.

There is NO excuse for that.

Re:I guess that's what you get for using Microsoft

[Billly+Gates]

Please stop this anti MS and how Windows and anything MS is sooo insecure crap. Its getting old.

Windows has been fairly secure for awhile now. Vista/Windows 7 has DEP, ASLR, sandboxing, process and privilege separation, and a very active security team. I do not see these things in other operating systems except maybe VMS.

If you keep seeing infections then please update your 10 year old XP kernel and stop using old versions of java and flash and install an anti virus package. That is how the vast majority of exploits get installed.

So there is an exploit. They are everywhere in this day and age.

Re:I guess that's what you get for using Microsoft

[v1]

And in a recent version of office I saw someone receive a word document with macros in it. "DO NOT allow macros to run". She did anyway. Why? Because in their infinite wisdom, it won't ALLOW you to open the document with macros disabled - they give you two options, (1) open it with macros enabled, or (2) don't open it. Brilliant.

I have YET to run into a user that will listen to me when I tell them to never open those, call me and I will clean them. "But I HAD to have that document right now!" and they open it anyway. And then I have a mess to clean up. Thank you so much MS, create a problem, then implement a solution in a way that the average user will be unwilling to use.

Making mistakes due to lack of foresight, ok I can kinda get that. But then compounding the problem with just plain bad decisions is much harder to forgive.

Re:I guess that's what you get for using Microsoft

[Grishnakh]

No one said Apple's stuff was any less stupidly-designed than MS's.

Re:I guess that's what you get for using Microsoft

[Grishnakh]

If there's no consequences for her behavior, then she has no reason not to behave that way, since you're apparently on the hook for cleaning up her mess.

Can't you make cleaning her mess low-priority and get to it after a week or so, leaving her unable to do her job in that time? And make sure all the blame is squarely on her shoulders?

Re:I guess that's what you get for using Microsoft

[v1]

Can't you make cleaning her mess low-priority and get to it after a week or so, leaving her unable to do her job in that time?

Besides being a good way to get chewed out/disciplined/fired, BofH-style IT isn't very ethical.

And if you still want to take the selfish approach, think about it... an office secretary with a macro virus loose on her machine, imagine how fast that would propagate around the office? turn one headache into many?

Re:I guess that's what you get for using Microsoft

[Grishnakh]

I'm not saying don't fix her machine, but it shouldn't be top priority. Are you really so underworked that you have time to drop everything and fix her machine when she screws up yet again (or someone like her)? If so, then fine; the company has seen the need to have spare people around just to deal with this kind of problem. But most places seem to have more important stuff for their IT people to do than fix dumb problems their users create.

And no, you shouldn't allow her to have a virus loose on her machine; it should be shut off, taken away, and quarantined until fixed. Until then, she can stare at her cubicle walls, and when she isn't getting her work done, she can explain that she screwed up and isn't able to use her computer until IT fixes it, and her performance review can suffer as a result. If the company has a problem with that, they can hire additional IT personnel to sit around playing games until a problem like this comes up.

Re:I guess that's what you get for using Microsoft

[MiG82au]

In office 2010 I can edit and save documents without enabling the macros. I do it all the time.

Re:I guess that's what you get for using Microsoft

[foniksonik]

Office is installed on all corporate machines, PC and Mac. Corporate espionage is the likely agenda.

Re:I guess that's what you get for using Microsoft

[foniksonik]

Doesn't work like that. The best you could do would be to giver her a loaner, preferably a P4 with 256MB RAM. If she's got pull she might be able to get that swapped out for a brand new laptop though, which might also be okay - then you give her a few days to get used to a good system, then yank it away and give her back her old one. She'll be miserable either way.

Re:I guess that's what you get for using Microsoft

[BitZtream]

Besides being a good way to get chewed out/disciplined/fired, BofH-style IT isn't very ethical.

Treating people who intentionally behave badly the same as those users on your network that comply with usage rules and ITs guidelines is unethical and unfair to all the people who do what you ask them to do.

You shouldn't let that person sit if you have no other tasks, but they damn sure go to the bottom of the list of things to do. Its not fair to punish good employees and make them wait while you deal with a repeat offender who continually does the same stupid shit to cause the same stupid problem.

Re:I guess that's what you get for using Microsoft

[BitZtream]

Windows has been fairly secure for awhile now. Vista/Windows 7 has DEP, ASLR, sandboxing, process and privilege separation, and a very active security team. I do not see these things in other operating systems except maybe VMS.

Yea, and don't forget the fact that OSX does it better, as does Linux and FreeBSD and probably solaris and the other unix left out there.

Yes, Microsoft is getting better, but they are still the very last ones in the race by a long fucking way. Hell, unix had DEP before windows fucking existed. x86 is just now catching up to what the rest of the CPU world has been doing for 20 plus years, and thats just in my experience, I'm sure it really goes back further than that. Different variants of ASLR were actually just the way things worked on some OSes, not for security but because thats just the way it worked. Non-randomized addressing via the hardware mmu was a freaking wanted improvement to make it easier on programmers. OSX, FreeBSD, Linux, and Solaris have supported various forms of sandboxing for 15 years.

You're really trying to claim MS invented privilege separation on the desktop? Wait, I see the problem, you're unaware of the fact that their are other OSes in existence other than Windows, thats got to be it, how else could you be so silly?

Re:I guess that's what you get for using Microsoft

[exomondo]

Interesting that this Mac exploit only applies to Mac users who use Microsoft Word.

The bug they reference in TFA appears to have been patched years ago, so would appear it's only on old systems that haven't been updated in years.

Re:I guess that's what you get for using Microsoft

Writing a macro language for your anything that has the ability to silently add/edit the macros in other unrelated documents is just nine kinds of stupid.

What makes you sure something equivalent couldn't be done with iWork and Applescript? I mean other than iWork's marketshare, of course.

The fact that you can't embed AppleScript in an iWork document?

Re:I guess that's what you get for using Microsoft

[yuhong]

Yea, this particular vulnerability has nothing to do with macros.

Re:I guess that's what you get for using Microsoft

[omfgnosis]

Presumably it's low-hanging because Word on the Mac shares code with Word on Windows, and it's a more familiar target for malware authors. I doubt Microsoft software in general is especially vulnerable, it's just especially prevalent.

Re:I guess that's what you get for using Microsoft

[Billly+Gates]

No.

When people bash Windows they talk about 10 to 15 year old technology and browsers based on their biased hatred. Thats what I am talking about. XP and IE 6 do suck ass in terms of security yet cios think they are just as secure because they receive updates and it feeds the rapid anti ms trolls who are forced to support it. I am saying Windows 7,IE 9, and office 2010 are current and have these feautures. Aslr is experimental and jails are not quite the same thing in BSD land but nice to isolate things. Ms is not crap anymore

Re:I guess that's what you get for using Microsoft

[V+for+Vendetta]

Because in their infinite wisdom, it won't ALLOW you to open the document with macros disabled - they give you two options, (1) open it with macros enabled, or (2) don't open it. Brilliant.

Haven't tried that in the recent version, but in previous versions of MS Office one could open the file in question via the application's "Open file" dialogue and press the Shift key while clicking on the "Open" button. That way (AutoStart) macros in that document won't execute.

Re:I guess that's what you get for using Microsoft

[Shifty0x88]

Number of people on Linux that will install Office, if they are in fact even making Office for Linux, small to null (I mean nil)

Android is better!

Oh wait, this isn't an iPhone thread.

Damnit Slashdot, you got me again!

Re:Android is better!

[Shifty0x88]

HAHAHAHAH, I don't care that you posted as AC, I would have modded you if I had points

Re:Sounds like a vulnerability in a Microsoft prod

another reason not to use office software outside a virtual machine...

Updates?

[Random+Data]

Interestingly Office for Mac (at least, the version I have access to) doesn't seem to have automatic updates enabled by default, if it has them at all. It's not my computer, so I'm not going to dig that much - correct me if I'm wrong.

I've used Libreoffice, Neooffice or OO on my mac, and all of those prompt me to update reasonably regularly - certainly more often than every 3 years! While it can be annoying, it's probably better than a compromised computer.

( Insert Microsoft bashing for karma-whore points here)

Re:Updates?

[IKnwThePiecesFt]

Office 2008 on my Mac opens the Microsoft Software Updater to check for updates once a month (as long as I open a Microsoft product, including the Office suite or RDP).

Re:Updates?

[Random+Data]

OK, so I've been playing with 2004 from memory (possibly even earlier), and that's been changed. This means the exploit shouldn't actually affect too many people - if you blindly click "OK" then you'll already be patched. Thanks for confirming.

Re:Updates?

[yuhong]

BTW, this is a good time to mention that Office 2004 for Mac ended support after the January 2012 Patch Tuesday, and Office 2008 for Mac (product targeted by this exploit) ends support April 2013.

10,000 hipsters abandon the Mac

[hessian]

It's gone mainstream. Now that it has viruses, it's like the Miley Cyrus of computing.

Time to find something more obscure. OpenVMS on an Atom system with a retro GEOS interface. That's the ticket.

I used to like Apple before it was mainstream, but now I've moved on. Just like with White Ring and fixies.

Re:10,000 hipsters abandon the Mac

[Random+Data]

Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!

Re:10,000 hipsters abandon the Mac

[BitZtream]

Fixies aren't trendy if the reason you have one is because you're too poor to fix your broken ass derailer. If you do it intentionally on a perfectly functional bike or you go to some bike shop and buy one made that way, then you're a trendy fuck.

Re:10,000 hipsters abandon the Mac

[Shifty0x88]

HAHAHA, awesome!

so true, and so awesome

Re:10,000 hipsters abandon the Mac

[AlienIntelligence]

Wait, fixies are passé now? Awesome, I can ride mine without people demanding I wear tight jeans and a sour expression!

I wear my tight jeans on a mountain bike, ironically.

-AI

Don't blame Microsoft...

[t4ng*]

Any OS that can be pwned by an exploit in *any* software running in user mode is insecure. Sorry, but those are the facts.

The reason for using an exploit in MS-Office is because is one of the most commonly used software products on Macs since its very beginning. So developing an exploit that uses a commonly used software means a better chance of spreading it.

Re:Don't blame Microsoft...

RTFA It's been patched for three years, the vulnerable machines are not running updates.

Re:Don't blame Microsoft...

[t4ng*]

rmuser

adduser

Done.

Re:Don't blame Microsoft...

[Shifty0x88]

It requires the user to be running as admin to take over the machine.

which A LOT, A LOT of people do, mainly because they don't know better and secondly because it's a lot easier for them not to switch between accounts

patched three years ago

[MushMouth]

Actually this is what you get when you shut/put off updates.

Re:patched three years ago

[Shifty0x88]

I thought it was they didn't know how, LOL (jk)

Now if we were talking about Windows here, I would say they are just counterfeit windows installs and that's why there is no one updating lol

Meh?

[Anubis+IV]

Macs had a flurry of trojans that hit them last year too. Apple put out the 10.6.8 update that allowed them to deliver daily anti-malware updates, and then used it to block every variant of the trojan within a matter of hours after it first appeared. Since 10.6 or above has been the default on all new Macs for the last 2.5 years, and Software Update is enabled by default to regularly check for updates, you can bet that the vast majority of Mac users will be receiving an automatic anti-malware update sometime later this week or next to deal with the trojan.

Re:Meh?

[antdude]

I wonder if MS will patch Office 2008 Mac on older Mac OS X like 10.5.8.

Re:Sounds like a vulnerability in a Microsoft prod

[some1001]

Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?

Re:Microsoft!

[viperidaenz]

Didn't Apple force Microsoft to continute developing Office for Mac with some legal bollocks?

Hipsters run Office?

[SuperKendall]

Pretty sure Hipsters are still safe.

Nerds who mock hipsters however, remain ever in peril from a universe who loves to inflict identical troubles on those who mock.

Re:Sounds like a vulnerability in a Microsoft prod

[jenic]

Really? Aren't we just getting a little paranoid? Why not take it one step further and suggest to sandbox every application inside the VM OS?

Great idea! Is someone working on that?

Re:secure by design

I agree...somehow when there's a post on an MS app being exploited on an MS OS, the attitude is that the OS is so insecure that it allows an apps insecurity to compromise the system--but for some reason if you get an MS app being exploited on a 3rd party OS, it's all about how it's only the apps fault, and has nothing to do with the OS in any way shape or form.

Re:Sounds like a vulnerability in a Microsoft prod

[Grishnakh]

Not likely; OO.o has a much smaller number of known users than MS Office, so there probably aren't many malware writers bothering with it.

However, MS always seems to have a bad habit of totally ignoring security with their architectural decisions, such as their macro language use in MSO. Someone more knowledgeable than me could comment on how OO.o's (and LO's) macro language compares with MSO's in regard to security.

Re:Office for Mac?

[Centurix]

Embrace, Penetrate, Ejaculate.

The upcoming Microsoft memo.

Re:secure by design

[Grishnakh]

For Macs, yes, it was mostly bullshit.

Re:Sounds like a vulnerability in a Microsoft prod

Microsoft patched this in 2009

however this from OO-2 is still unpatched
http://secunia.com/advisories/38567/

Re:Still waiting for a real Linux virus

[fbartho]

Do you count PHP Worms? Linux runs many webservers that spread various kinds of php worms and spam machines.

The exploits were in poorly configured PHP instances, and poorly written PHP applications, but even if those worms didn't care what OS their server was running, the worms still technically ran on linux (at least some of the time).

Re:Still waiting for a real Linux virus

[willaien]

Considering the sheer stupidly large amount of hits I get from compromised machines trying to SSH into my server, I'd say that there are linux viruses out there.

Re:Still waiting for a real Linux virus

[Billly+Gates]

I do not know what world you live on but where do you think the term "root"kit came from?

If you guess the account root and its associated Unix then you are correct.

Linux servers are heavily targeted. I met someone who worked at a bank and all their Suse servers were rootkitted with a virus for the sole purpose of hosting a phishing scheme and stolen credit card database. Sure more viruses target windows to steal the information but where do you think they store the stolen information Linux servers.

There are plenty of viruses for Unix operating systems

mandatory "updates" - [expletive deleted]

From Walking on thin ice By Peter de Jager, an international speaker on the subject of change and technology. He recently testified before Congress on the Year 2000 problem, he used to have a www site devoted to the issue. ...
Here's a good example of a well-known Mac application that can't handle a very simple Year 2000 entry. ...
When I purchased * (in 19XX, version 1.5), I didn't intend to use it for a limited time only. I bought it to perform a particular task for as long as I had reason to perform that task. "Ah ha!" I can hear you cry, "he's not on the most recent version! That's why he's having a problem!" Sorry, but you're missing the point and making a very interesting assumption about the computer software industry. * version 1.5 does everything I want an accounting product to do, so why should I shell out more money for features I don't need, can't afford, or choose not to acquire? ...
I don't know if the concept of mandatory upgrades has been communicated to corporate America. And I don't believe the concept is ethical.
One could argue that the Year 2000 problem in * is a bug, and we all know unexpected bugs are beyond our control. We accept that it's impossible to eradicate all bugs. We live in the real world.
Fair enough. But this expiration date is not unexpected. The programmers of * knew it exists -- after all, they created a specific error message to inform users who violate the allowable range of dates. Hardly what you would describe as an "unexpected" bug.

Re:Sounds like a vulnerability in a Microsoft prod

[goodgod43]

Solution
Update to version 3.2.

Seriously? That's what you are going to use to scare people away from OO? It took one click to find the solution to your petty quibble.

Re:secure by design

[jo_ham]

Being secure by design does not mean it's immune to trojans and software exploits. The two things are not mutually exclusive. You can design a system with an eye on security (for example, not running as root by default, have the default state of network-facing services be "off", that sort of thing) but it does not mean that the software will be immune. There will always be bugs and holes - and on the Mac, there are plenty. There are relatively frequent security updates for OS X (more in the early days, but they have not dried up completely) as potential exploits are discovered and patched.

This isn't even the first trojan for OS X. The hole was patched three years ago though, so only non-updated machines are at risk*.

*note, machines still vulnerable to other OS X security threats, of which there are a few, mainly trojans. Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.

Re:Sounds like a vulnerability in a Microsoft prod

[otuz]

Apple is actually sandboxing all apps by default in 10.8 "Mountain Lion"

Re:Still waiting for a real Linux virus

[mark-t]

Root kits are not viruses. They are security exploits, but they must be manually installed by somebody who already has at least user privilege on the machine. I would be willing to bet money that the issue at the bank was not a virus, but a rootkit... possibly a trojan.

My point still stands. I would like somebody to please identify *ANY* linux virus that has ever been caught "in the wild" and has compromised even a modest percentage of actual Linux machines in existence.

Bear in mind that by virus, I mean something that can propagate itself to other computers without any explicit user intervention and can proceed to infect any other computers it reaches that have not been patched to prevent the intrusion.

Re:Still waiting for a real Linux virus

[mark-t]

For definitions of "few" that run in the tens of millions, yes.

Re:Still waiting for a real Linux virus

[mark-t]

What suggests to you that the compromised machines trying to ssh into your server are running Linux... or any unix variant, for that matter?

Re:Satan

[retchdog]

it's technically a bot, but one written by a crazy person.

specifically, it's from a divination app packaged into LoseThos, a 64-bit hobby OS written by a schizophrenic man on orders from god himself. it really has to be seen to be believed.

never ever ever

[slashmydots]

Hmm so a 3 year old exploit that hasn't been patched. Well obviously now Microsoft is going to, as quickly as possible, NEVER, EVER, EVER patch it. Apple's support ratings have been slipping, their prices are from some other quantum reality, so really all they have is "magic virus proof product" in their arsenal. Since most users install Word, it's definitely going to stay that way for a long time. I just think it's so hilarious that Apple built next to nothing into their OS for dealing with this situation, there are basically zero diagnostic and manual disinfection tools for macs, and the existing antiviruses for it are a joke. I smell a disaster brewing.

Re:Sounds like a vulnerability in a Microsoft prod

[omfgnosis]

Given the ability to provide necessary functionality and usable/understandable control end-user control over escalation requests, why wouldn't we sandbox everything?

Re:secure by design

[Farmer+Tim]

Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.

Bloat: your guarantee of genuine Microsoft quality.

Re:Office for Mac?

[omfgnosis]

It's still a vulnerability in OS X. Poorly secured third-party executables should not allow access to the system. Regardless of whether it's Apple's OS or otherwise.

Re:Still waiting for a real Linux virus

[Spiked_Three]

Just wait until it hits more than 3 users!

GREAT IDEA! however

[bussdriver]

But macs fail to mount /tmp in a secure way; there is only 1 mount point. One can wonder about the next OS with the option to forbid non-signed apps from running and how that will impact this.

OSX users without any type of AV

[bigdogpete]

I know at least 10 OSX users and they don't have any basic AV on their system. I quote one of them....."I don't need any AV on it macs don't get infected". At that point my jaw dropped and I walked away. This is the problem with the hype. I am not saying everyone but damn people not even basic AV. As the market share grows of OS* so does the people looking to find exploits.

Re:OSX users without any type of AV

[Jeremi]

I am not saying everyone but damn people not even basic AV.

What exactly is "basic AV"? Does that refer to a program that automatically downloads known malware signatures, and checks email attachments and downloaded software against them before allowing them to execute?

Because if so, MacOS/X includes that functionality now -- so your Mac buddies probably have basic AV, even if they don't know it. No monthly tribute to Symantec (et al) is required.

Re:OSX users without any type of AV

[LordLimecat]

At this point, installing Mac "antivirus" is probably the most surefire way to get some crapware or virus. Although I guess you could go with norton (not sure how thats materially different from those).

Re:Sounds like a vulnerability in a Microsoft prod

[SimonTheSoundMan]

Prefer to use iWork. For regular work it is far better to use than Office.

Re:Sounds like a vulnerability in a Microsoft prod

[Shifty0x88]

Hypervisor to the rescue, sandbox the entire OS, and you will never have to worry about getting a virus, simply restart to an earlier snapshot.

Then the only problem is performance will be degraded because it's being virtualized, and we just have to make sure nothing(no malware) can figure out it is in a virtual machine(like blue pill? or was it red pill? and other VM aware exploits) and nothing can break out of the virtual machine and infect the hypervisor.

Once it gets to the hypervisor it's all over

Re:Sounds like a vulnerability in a Microsoft prod

[Shifty0x88]

LibreOffice the other fork of OpenOffice and NOT run by Oracle! Even smaller userbase and can still get the updates from OpenOffice(pulls by coders, not users)

Re:secure by design

[Shifty0x88]

Don't download a piece of software from a torrent site claiming to be Microsoft Office.dmg, but is only a few 10's of MB - it's probably a trojan.

Bloat: your guarantee of genuine Microsoft quality.

HAHA, so true!

Old exploit

[macshome]

If you click through and read the MS Kbase on this you'll see that they patched this in Office 2004 and 2008 for Mac back in 2009. It doesn't appear to exist in the current versions of Office:Mac.

The document exploit is also present in Windows versions of Office as well from the same timefreame.

Re:secure by design

[LordLimecat]

Thought OS was responsible for 3rd party vulnerabilities?

Parent has been labeled troll but hes not wrong; this is the crap that people have been spouting and its nonsense. Show me an OS that cant get viruses, and Ill show you an OS that cant run third party binary code or interpreted code or receive updates.

Re:Sounds like a vulnerability in a Microsoft prod

[omfgnosis]

And here we have again a false silver bullet. Security is hard. Sandboxing (and virtualization) are great, but they're not The Solution.

Re:Satan

[CaseCrash]

Wow. That is brilliant. And insane. I can't believe I hadn't heard of it yet.

Get Little Snitch

[grantspassalan]

There is a neat little program, that works like the roach motel. Trojans can check in, but they can't check out, that is send anything out on the Internet without warning the user first. The program is called Little Snitch. It allows only specifically permitted programs and services to send data out onto the Internet or even the local network. There are many programs that try to call home for various reasons. There is no reason for a word processing program to access the Internet, especially if the IP address is somewhere in China or Russia. All programs that are not specifically allowed to send data to the Internet, are blocked by default. When a program does try to send something, the user is given the domain name where it wants to send some information. The user is then given a choice to deny access, give access until that program or service quits or deny access completely.

Re:Get Little Snitch

[scdeimos]

There is no reason for a word processing program to access the Internet, especially if the IP address is somewhere in China or Russia.

Yes internet access should be gated as you suggest and there are plenty of software firewalls around that do that already, but I'll give you two use cases where a word processor needs to access the internet: 1. A user copies something from a web page and pastes it into the word processor - the clipboard only holds the HTML of the selection, so the word processor has to fetch any image references to embed in the document. 2. A user wants to view or edit a document in a SharePoint (or other) repository - so the word processor has to make WebDAV requests or similar to fetch and update the document online.

Re:Get Little Snitch

[grantspassalan]

Yes, but when Little Snitch puts up a window that the word processor has to send the request for this image or other data to some Russian, Chinese or other funky domain, the user can deny access.

Re:Get Little Snitch

[angel'o'sphere]

From an academic standpoint your points are right. However that is not how the clipboard works (neither on the Mac nor on Windows)
The clipboard is filled from the application where the cut is occurring. The application can fill the clipboard with various data formats. In case of a word processor, the processor very likely will either access an rtf document, or the image (in your example) is referenced via the browser cash, and not via a network connection. In fact in Apple programming guidelines the later is explicitly recommended as good practice.
Or how exactly would you cut/copy something from a web page you loaded a day ago and now you are working offline in a train?

Re:Sounds like a vulnerability in a Microsoft prod

[Shifty0x88]

Care to share the solution?

A little more security never hurt anyone, neither did a fuzzy tester on your software, good alpha/beta testing, and apparently giving money to hackers for bug exploits (Firefox, Google, that I know of). All of these things combined can help you... granted you are bulletproof but your software and customers will be happier because you did it and found some flaws before you released it.

Imagine what Stuxnet would have done if Siemens put some security (or should I say, closed the holes they introduced) into their devices?

Re:Still waiting for a real Linux virus

[willaien]

The concept of self-propagation is lost on you, eh?

Re:Still waiting for a real Linux virus

[mark-t]

Not at all. My point is what makes you think that those attacks are self-propogation attacks, and not simply attempts to find a security hole and install a rootkit? Do you have any evidence that a linux rootkit is what was actually being used to attack your system? Or are you simply assuming that it is because you can't think of any reason that non-linux systems would try to find security holes in Linux boxes?

Re:Still waiting for a real Linux virus

[willaien]

Since I'm not one to voluntarily open up security holes, I'll stick to an educated guess.