This article was published on April 16, 2012

Second Mac malware threat called SabPub rears its head, validating Apple’s decision to disable Java


Second Mac malware threat called SabPub rears its head, validating Apple’s decision to disable Java

In a set of recent updates to Mac OS X, Apple patched a vulnerability in Java that had allowed a Malware infection known as Flashback to spread to some 700K of its computers. Now, a new backdoor Java threat called SabPub has reared its head, validating Apple’s aggressive measures to block issues due to the plugin.

Internet security firm Kasperksy details a new malware variant called Backdoor.OSX.SabPub.a that is being spread using another exploit in Java.

Just last week, Apple released updates to remove the older Flashback malware from affected computers, but it also took an additional, agressive step. For any computers that had not accessed the Java plugin in the last 35 days, it completely disabled the plugin.

As a third-party addition, which is used less and less as the web moved away from Java as a platform for complex interactions, it was actually not necessary for a lot of people. Since vulnerabilities crop up a lot in the plugin, Apple decided to just slam the door shut entirely. It disabled both the plugin and the Java Web Start applet, making it nearly impossible for Java vulnerabilities to be exploited.

The <3 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

This has proven to be a good move, as the SabPub backdoor accesses a remote site once it infects a machine and it can continue to execute commands and make screenshots, transmitting those to the creators.

The malware appears to use the Exploit.Java.CVE-2012-0507.bf vulnerability and was first seen two months ago and seems to have originated in China. The vector of the attack appears to be an infected Word document. Kaspersky’s Costin Raiu says that the company will continue to investigate.

Raiu says that the Word document that is being used to transmit the malware has ties to a statement by the Dalai Lama.

In case you are wondering, the name of the file (“10th March Statemnet”) is directly linked with the Dalai-Lama and Tibetan community. On March 10, 2011, the Dalai-Lama released a special statement related to Anniversary of the Tibetan People’s National Uprising Day — hence the name.

The Flashback malware had spread to some 700,000 infected systems as of last week, by taking advantage of a security flaw in Java which had been discovered in February. The security of Mac computers at large was obviously in question, so it’s good to see Apple take decisive action, although it would have been nice to see it a bit sooner, as this was a known vulnerability.

The addition of this new SabPub threat validates Apple’s decision to disable Java entirely for those users that have not used it in some time. Doubtless more instances of malware like this will continue to crop up and, at least as of now, the popular tactic seems to be using Java as an entry point.

Notably, Apple no longer ships OS X Lion with Java pre-installed, you have to download and install it yourself if you choose to use it. And there are less and less sites that require it to operate properly. So do yourself a favor; disable Java on your Mac and keep it updated with the latest Apple security patches.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with