Apple has confirmed that some of its systems were breached in a hack attack that exploited a Java vulnerability — the same sort of attack that Facebook recently acknowledged breached its defenses. Shortly after the announcement, both Apple and Oracle released patches to fix security bugs in Java.
Nicole Perlroth with The New York Times reported, “After Facebook and Twitter announced that they were breached by sophisticated hackers in recent weeks, Apple said it had been attacked, too, in a rare admission for the technology giant. In a statement to reporters Tuesday, Apple said some of its computers were infected with the same malware that hit Twitter and Facebook. Like Facebook, Apple confirmed that its employees’ computers were infected with malware when they visited a Web site for software developers. Neither company has named the Web site. But according to a person with knowledge of Facebook’s investigation, the compromised site, iPhonedevsdk, an online forum for software developers, is still infected. (In other words, unless you want to be owned by hackers, do not visit the site.)”
CNET ran a statement from Apple, which read:
“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.
Since OS X Lion, Macs have shipped without Java installed, and as an added security measure OS X automatically disables Java if it has been unused for 35 days. To protect Mac users that have installed Java, today we are releasing an updated Java malware removal tool that will check Mac systems and remove this malware if found.”
Jim Finkle and Joseph Menn with Reuters added, “The breaches described by Apple mark the highest-profile cyber attacks to date on businesses running Mac computers. Hackers have traditionally focused on attacking machines running the Windows operating system, though they have gradually turned their attention to Apple products over the past couple of years as the company gained market share over Microsoft Corp. ‘This is the first really big attack on Macs,’ said the source, who declined to be identified because the person was not authorized to discuss the matter publicly. ‘Apple has more on its hands than the attack on itself.'”
Computerworld’s Greg Keizer noted, “The day it acknowledged company-owned Macs had been hacked using a ‘drive-by’ Java exploit, Apple on Tuesday patched the Oracle software for older systems and released a malware detection tool. The Apple-issued ‘Java for Mac OS X v10.6 Update 13’ aimed at OS X Snow Leopard included patches for the same 30 vulnerabilities in Java 6 that were addressed in a special Feb. 1 update, as well as three fixes that had not been released earlier. Also on Tuesday, Oracle updated Java 7. Like Apple, Oracle essentially bundled the Feb. 1 fixes with several new patches to create Java 7 Update 15.”