Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the TidBITS Content Network for Apple consultants.

SabPub Malware Infects Unpatched Word and Java Installations

Although security-related updates sometimes introduce other problems, it is becoming all the more important to install them quickly regardless. In particular, Mac users who haven’t installed Apple’s Java updates for Mac OS X 10.7 Lion and 10.6 Snow Leopard, and users still using unpatched copies of Microsoft Word 2004 and 2008, are vulnerable to recent variants of malware. That’s the warning from Mac security firm Intego, whose VirusBarrier malware definitions dated 12 April 2012 or later can detect and remove these variants.

As we wrote in “How to Detect and Protect Against Updated Flashback Malware” (5 April 2012) and “Apple Releases Flashback Malware Removal Tools” (12 April 2012), Apple has released updates to its Java software for Lion and Snow Leopard that eliminate the Java vulnerabilities and remove the most common variants of Flashback. If you haven’t already installed the appropriate Java update for your Mac, do so immediately, or disable the Java plug-ins in your Web browsers (instructions are in the first article linked above). Disabling Java is the best solution for those using versions of Mac OS X older than 10.6 Snow Leopard.

Intego says the original SabPub malware exploited the same Java vulnerability as Flashback and “seeks to connect to remote command and control servers, presumably to harvest information on infected Macs.” A newer version of SabPub takes advantage of a vulnerability in older versions of Microsoft Word to infect Macs with the malware.

The company says unpatched versions of Microsoft Word 2004 and Word 2008 are vulnerable, but Word 2011 is not. (Microsoft fixed the vulnerability in 2009, and it’s telling that the bad guys think it’s worth trying very old vulnerabilities to infect users who haven’t kept their software up to date.) In addition, files in Microsoft Word’s current .docx format are not vulnerable, just those using the older .doc format. To be clear about what “unpatched” means, users of Word 2004 and Word 2008 who have installed the security update described in Microsoft’s Security Bulletin MS09-009 are not vulnerable. If you’re not certain if you have installed that update, run the Microsoft AutoUpdate application, typically found in the Microsoft Office folder or the Applications folder, and allow it to install any available security updates. You may need to install multiple updates sequentially.

And, as always, be careful about opening Word documents — or any attachments, really — from unknown sources. The Quick Look feature in Mac OS X (select the file and press the Space bar) is probably a safer way to peek inside many common file types if you’re uncertain as to what the file might contain.


Try productivity tools from Smile that will make your job easier!
PDFpen: PDF toolkit for busy pros on Mac, iPhone, and iPad.
TextExpander: Your shortcut to accurate writing on Mac, Windows,
and iOS. Free trials and friendly support. <>

Comments about SabPub Malware Infects Unpatched Word and Java Installations
(Comments are closed.)

Cannot find the Microsoft Office Updater in the described folders on my 2011 iMac. Using Office for Mac 2008. I searched for the updater on Microsoft's site and the one available does not work on Intel only Macs. How would one go about making sure that Office was updated with the 2009 update that prevents SubPub?
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-24 05:45
Looks like Microsoft hid it in a surprising place in Office 2008:

~/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate

But in Office 2008, the easier way to get it is to choose Check for Updates from the Help menu in any Office application.
Do these vulnerabilities rely on the user being an admin (or does having a separate admin account provide some protection)?
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-24 10:29
Honestly, I don't know - I haven't seen that mentioned in writeups from the companies that have examples. For safety's sake, I wouldn't assume that a separate admin account would help.
Apple's Max OS X Security Configuration Guide, the most recent was the Snow Leopard Security guide, recommends not to use the administrator account for daily activities. They imply his may prevent unauthenticated changes to system settings.
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-24 16:08
It may, but the Java vulnerability exploited by the initial version of SabPub (and Flashback) was equally a problem on administrator and standard accounts, from what I've heard.

Running as a standard user is sort of a weird thing - you either need an admin-level user around to help with software installation and the like, or you need to be sufficiently savvy that you could just be an admin user anyway. It's extremely uncommon - I know of only a handful of people who do it, and all are extremely savvy and don't mind the extra password prompts.
Is opening an infected file with pages safe?
Adam Engst  An apple icon for a TidBITS Staffer 2012-04-24 10:30
Yes, it would be, since Pages has very different code (and thus different vulnerabilities, if any).