Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
MS Office exploit that targets MacOS X seen in the wild (alienvault.com)
37 points by cooldeal on March 28, 2012 | hide | past | favorite | 6 comments



> An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

I don't quite understand this. Form the article it looks like the trojan escapes the word document to execution realm through your typical vulnerability. Fair enough. But so far it looks like it only has rights corresponding to the user.

So as far as i understand it, this needs a privilege escalation vulnerability to 'take complete control' and 'create new accounts'.

It seems to copy itself to /Library/launched though, which here is

    drwr-xr-x+ 65 root wheel 2210 Feb  2 14:45 /Library
So it looks like it's going root at some point, but it's not described in the document. But since it has root, why would ' Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights'?


You are most likely running 10.7 and it was installed clean. Previous versions of Mac OS X made that directory group-writeable by default (and 10.7 upgraded from a previous system will keep the old permissions).

Here's the line for 10.6:

    drwxrwxr-t+ 61 root  admin      2074  3 Nov 18:12 /Library


The system I'm on now was upgraded to 10.7 from 10.6 recently and has

  drwxr-xr-x+ 69 root  wheel      2346 Feb 29 12:14 Library


Interesting, it could be my 10.6 system was an upgrade from 10.5. Might have to boot my PowerPC MacMini and see what it says...


This is why we need sandboxing on the mac. I wonder whether there are particular barriers for Microsoft to add that sooner rather than later?


Who else is with me on this? Fucking MS Office.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: