A new wave of cyberattacks targeting computers running Apple’s Mac OS X is using an old —but patched— vulnerability in Microsoft Office for Mac to deliver malware.
Tech site CNET said that, while the vulnerability had already been fixed, this was the first time Microsoft Office documents have been used to exploit OS X systems.
“The vulnerability was patched soon after it was found, and currently all supported Office programs are well beyond these versions. However, malware developers are attempting to exploit unpatched systems. These efforts mark the first time Office documents have been used as a vehicle for attacks in OS X,” CNET reported.
It said the vulnerability had been detailed in a Microsoft security bulletin dating back to June 2009, affecting versions of Office 2004 and 2008, and OpenXML Converter 1.0.2 or earlier.
The attack involves a maliciously crafted Word file that has likely been distributed via spam. The file runs a script that writes the document’s malware payload to the disk.
The file executes a shell script that runs the malware then displays a Word document containing a poorly formatted political statement about Tibetan freedoms and grievances.
So far there are two observed malware variants being distributed via these malicious Word documents:
- The first piece of malware appears to install in the Automator program that ships with OS X as a binary called “DockLight.”
- The second piece of malware appears to try to mimic the system launcher program “launchd” by installing a similarly named executable file in the global library directory, and then creates a launch agent that keeps this binary file running when the computer starts.