Apple is the latest major American company to enter the security confessional and disclose it has been breached. The company told Reuters today it was attacked by the same crew that hit Facebook, which disclosed its breach last Friday, and that like the social media giant, no data had been stolen.
In both cases, a Java zero-day vulnerability had been exploited by attackers, in this case, to gain access to Apple machines. Reuters is reporting that the same attack was used against other Mac computers at hundreds of companies, including some in the defense industrial base.
“Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers,” said Reuters, quoting a statement from Apple. “We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple.”
Apple said it is working with law enforcement and also plans to release a tool to repair the infected Mac machines.
The Java zero-day in question was patched Feb. 1 when Oracle accelerated the release of its quarterly patch update for Java. The update (Java 7u13) patched 50 vulnerabilities, many of which were remotely exploitable. Two vulnerabilities that could enable an attacker to bypass the Java sandbox were reported to Oracle on Jan. 18 and patched in 7u13. In the meantime, experts have urged users to disable the Java browser plug-in. Last October, Apple released a Mac OS X update that removed the plug-in from browsers compatible with the Apple platform.
Attacks against Apple’s Mac platform have been accelerating since the Flashback Trojan of a year ago when more than 600,000 Mac OS X machines were infected. Flashback and its many variants had a number of capabilities, some of them targeting Java vulnerabilities in order to drop malware that would steal valid user credentials for high-value websites. Since then, attacks have also targeted Mac users on human rights websites such as that of the Dalai Lama and supporters of the Uyghur of China and Kazakhstan.
Meanwhile, it’s becoming clearer the attacks against Apple, Facebook and earlier this month against Twitter are linked. All three entities said their attacks were part of larger campaigns and all of them having some link to Java vulnerabilities and exploits.
Facebook reported last Friday several employees were infected with malware exploiting Java vulnerabilities when users visited a mobile developer website hosting a sandbox-bypass exploit. Facebook said on Friday it found a suspicious domain in its DNS logs and tracked it back to an employee laptop. Further investigation revealed similar compromises on other laptops. Facebook said it was not alone and that other companies had been similarly attacked.
Twitter, meanwhile, reported on Feb. 1 that it was alerting users that up to 250,000 accounts may have been compromised and that session tokens and passwords may have been accessed.
The disclosure by Twitter came shortly after the New York Times and Wall Street Journal reported they’d been infiltrated by attackers. Twitter, like Facebook would, said it was not alone and recommended that users disable the Java plug-in, change their passwords and refrain from using third-party services that promise to enhance the number of followers a user has.