Apple’s not invulnerable, after all.
A small number of Apple employees’ computers were hacked recently by the same crew that attacked Facebook, and which Facebook claimed it traced back to China. In that case, Facebook said, its employees’ machines were fully patched and up-to-date, and entry was gained via a previously unknown zero-day attack in the Java browser plugin.
In a statement released to AllThingsD, Apple said there was no evidence the attack succeeded in getting any corporate data:
Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware.
Java is notoriously a source of security problems, and Apple says it will release a software tool later today to patch the problem. Oracle had provided a patch on February 1, 2013, according to Facebook, but Apple is not known for being quick to release new updates. That update is not yet available, at least according to my MacBook Air’s software update mechanism.
Worth noting: Apple has not shipped Java since Mac OS X Lion — which launched in July of 2011 — and also disables Java if it has not been used in 35 days.
Apple says it is assisting authorities in tracking down the hackers.