Skip to content
Thoughtful, detailed coverage of everything Apple for 33 years
and the TidBITS Content Network for Apple professionals
8 comments

SabPub Malware Infects Unpatched Word and Java Installations

Although security-related updates sometimes introduce other problems, it is becoming all the more important to install them quickly regardless. In particular, Mac users who haven’t installed Apple’s Java updates for Mac OS X 10.7 Lion and 10.6 Snow Leopard, and users still using unpatched copies of Microsoft Word 2004 and 2008, are vulnerable to recent variants of malware. That’s the warning from Mac security firm Intego, whose VirusBarrier malware definitions dated 12 April 2012 or later can detect and remove these variants.

As we wrote in “How to Detect and Protect Against Updated Flashback Malware” (5 April 2012) and “Apple Releases Flashback Malware Removal Tools” (12 April 2012), Apple has released updates to its Java software for Lion and Snow Leopard that eliminate the Java vulnerabilities and remove the most common variants of Flashback. If you haven’t already installed the appropriate Java update for your Mac, do so immediately, or disable the Java plug-ins in your Web browsers (instructions are in the first article linked above). Disabling Java is the best solution for those using versions of Mac OS X older than 10.6 Snow Leopard.

Intego says the original SabPub malware exploited the same Java vulnerability as Flashback and “seeks to connect to remote command and control servers, presumably to harvest information on infected Macs.” A newer version of SabPub takes advantage of a vulnerability in older versions of Microsoft Word to infect Macs with the malware.

The company says unpatched versions of Microsoft Word 2004 and Word 2008 are vulnerable, but Word 2011 is not. (Microsoft fixed the vulnerability in 2009, and it’s telling that the bad guys think it’s worth trying very old vulnerabilities to infect users who haven’t kept their software up to date.) In addition, files in Microsoft Word’s current .docx format are not vulnerable, just those using the older .doc format. To be clear about what “unpatched” means, users of Word 2004 and Word 2008 who have installed the security update described in Microsoft’s Security Bulletin MS09-009 are not vulnerable. If you’re not certain if you have installed that
update, run the Microsoft AutoUpdate application, typically found in the Microsoft Office folder or the Applications folder, and allow it to install any available security updates. You may need to install multiple updates sequentially.

And, as always, be careful about opening Word documents — or any attachments, really — from unknown sources. The Quick Look feature in Mac OS X (select the file and press the Space bar) is probably a safer way to peek inside many common file types if you’re uncertain as to what the file might contain.

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About SabPub Malware Infects Unpatched Word and Java Installations