Apple Falls Prey to Java Browser Malware
CREDIT: Image composite by SecurityNewsDaily
The normally tight-lipped Apple Inc. admitted today (Feb. 19) that it was the latest victim of a cyberattack that also caused trouble for Facebook and possibly Twitter.
The malware, which takes advantage of a Java vulnerability, is similar to a bug used to infiltrate Facebook's systems in an incident Facebook disclosed Friday (Feb. 15).
In both instances, attackers used a "watering hole" strategy by planting malware on a website frequented by software developers in order to infect the machines of individuals in that particular community.
Rumors flew around the Web about exactly which developer site it was, though of course more than one site could have been infected.
"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers," Apple told Reuters in an official statement.
"We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple."
Apple pushed out a Mac OS X software update today to patch the vulnerability in Macs with Java installed.
Java, which creates a separate software environment within computers and mobile devices, has seen at least two big malware outbreaks in the first six weeks of this year. Many security experts recommend users disable Java browser plug-ins entirely.
An unnamed source told Reuters that the same Java-based malware campaign hit Twitter, which disclosed on Feb. 1 that 250,000 user accounts had been compromised as a result of a hack.
A separate source told Reuters that hundreds of companies, including some defense contractors, had also been infected.
However, both sources refrained from pointing fingers at where the malware originated.
"This is a new campaign," one source told Reuters. "It's not like the other ones you read about where everyone can tell it's China."
Convenience vs. risk
The advantage of writing programs in Java is its ability to run on any platform, eliminating the need to redevelop programs specifically for Mac, Linux or Windows. The advantage to a malware creator is that a Java bug will infect any machine.
For those who recently purchased a new Mac computer, or will in the near future, this particular problem has been partly mitigated, because the most recent versions of Mac OS X no longer ship with Java.
However, users can easily install the software if they need it. It's understandable why Mac software developers would have Java, and Java browser plug-ins, installed on their machines.
But unless you're a professional software developer or you do a lot of Web conferencing, Java in the browser is probably more of a liability than an asset.
(Users can disable Java browser plug-ins and still run Java-based stand-alone apps, such as the game "Minecraft" and some parts of the Adobe Creative Suite.)
This isn't the largest attack against Apple computers — that honor goes to the Mac Flashback Trojan, which used a different Java flaw to infect more than 600,000 Macs a year ago — but since it penetrated Apple's own employee network, it may go down in history as the most infamous.
Until recently, Mac users have enjoyed an online environment relatively free of compatible malware as hackers have focused most of their efforts on infecting the more ubiquitous Windows operating systems.
That's changed as Apple's desktop market share has grown, and as it's become clear to industrial spies that many social-media software developers like to use Apple machines.