Old Microsoft Office for Mac vulnerability actively used to install malware

Not surprisingly, more than two and a half years after a critical patch has been delivered, we see customers that didn’t update. And if we can see them, then also the bad guys see them as well. Even worse, we see such an issue affecting MacOS users who usually are not used to think to install anti-malware protection.

That’s because most of the users think that Macs don’t get malware. But as reader of this blog, you know that this is a myth…

As any other myths, this one is also wrong. Macs do get malware and we see this pretty often. In order to protect the Macs we released a dedicated security solution which is completely free.

The already forgotten MS09-027 published in June 2009 (!!!) which could allow remote code execution in Microsoft Office, makes waves again. As presented at that time, also the Microsoft Office for Mac 2004 and 2008 were affected.

Security researchers analyzed the spear phishing attacks that spread the emails containing specially crafted Word documents making use of this security vulnerability. According to the researchers, once the document is opened, the affected software executes some shell scripts that drops a binary embedded in the document and starts it. This executable is even signed with a fake Avira GmbH digital signature.

On Macs, this executable, delivered even for PowerPC and Intel, installs a backdoor which monitors everything what the user does (yes, it can copy usernames, passwords, it can spy even audio, etc.).

As usual, we advise our readers to install the latest updates for their applications and operating system.

In order to protect the users who didn’t install the required patches, we released a generic detection for the Word vulnerability. As of today, all Avira software running the engine version and above detect the Word documents as  EXP/Word.Exploit.Gen.

Don’t forget that we  have now protection for Macs and it is for free.


Sorin Mustaca

Data Security Expert