While the Office-based vulnerability that is used to exploit OS X does not work in Lion, it serves as a reminder to always keep all software up-to-date.
by Topher Kessler
Following the recent malware attacks in OS X, Microsoft has been exploring the 3-year-old flaw which has been exploited by several different malware attempts in recent months. Microsoft Malware Protection Center analyst Jeong Wook Oh has found that the exploit does not affect OS X Lion systems but can succeed on those running OS X Snow Leopard.
In the exploit in question, a maliciously crafted Office file takes advantage of a vulnerability addressed by the MS09-027 update for Office, and as such this latest exploit is referred to as MacOS_X/MS09-027.A by Microsoft. This exploit is the same one being used by other recent malware that uses Office documents as a means to attack Macs.
In essence, the exploit involves causing a stack-based buffer overflow that results in corrupted variables being returned to the main stack. In this instance the malware is able to load a variable in the problematic function with malicious content, and then by exploiting the function’s flaw cause this content be returned to the main program stack, where it can be run. Buffer overflow vulnerabilities are common bugs in programs, and are regularly patched in security updates (here’s an explanation of what a buffer overflow is and how it can be used in an attack).
Once the exploit happens, the malware runs and installs the following three files on the system along with some launcher files in the user’s LaunchAgents folder:
These three files work together to launch the main malware file (suspected to be “launch-hse”), which as with much recent malware is a command-and-control client and will run commands and otherwise communicate with remote servers.
If you have Office on your system, to check for and remove this malware open the OS X Terminal (located in the /Applications/Utilities/ folder) and run the following commands:
sudo rm /tmp/launch-hs
sudo rm /tmp/launch-hse
sudo rm /tmp/file.doc
sudo rm /Applications/Automator.app/Contents/MacOS/DockLight
sudo rm /Library/launched
sudo rm ~/Library/LaunchAgents/com.apple.FolderActionsxl.plist
sudo rm ~/Library/LaunchAgents/com.apple.DockActions.plist
Even though the vulnerability that makes this attack possible is present in all unpatched Office installations regardless of the OS they are running, Oh’s analysis shows it does not affect all versions of OS X. The target memory address used by the malware to exploit Office is handled differently by different versions of OS X, making it a problem in Snow Leopard, but not Lion. As described by Oh:
This corrupted variable is later used for a target address and is where the stage 1 shellcode is copied. The corrupted return address points to this target address as well. This target address is important, as, with Snow Leopard, we could confirm that it was used to exploit a specific location on the heap that is writable and also executable. The point is, that with Lion, that specific memory address can’t be written, so the exploit fails.
Because of such details, Oh speculates that the malware must be specifically targeting Snow Leopard users with this attack, and first-hand knowledge of the operating systems’ differences was needed in order to pull this attack off.
While this specific attack is relatively new, like other recent attacks it is making use of an old vulnerability that has been discussed for a while and for which a patch has been available for years. This serves as another reminder to always apply software updates, regardless of how irrelevant they may sound.
As we have seen, these vulnerabilities may be exploited at any time, and especially after they have been well-documented by security companies and software developers. Once vulnerabilities are known, many times malware developers distribute malware exploiting them and catch stragglers who haven’t updated their systems.