How's this for a helluva endorsement for Windows security over OS X? Today, Microsoft acknowledged falling prey to "similar security intrusion" as Apple and Facebook. They got nabbed by a Java exploit affecting Apple's OS.
"We found a small number of computers, including some in our Mac business unit that, were infected by malicious software using techniques similar to those documented by other organizations", says Microsoft security chief Matt Thomlinson.
Apple made similar admission on February 19 and Facebook a week ago. Apple issued an OS X fix removing Java, while Facebook disabled the tech. Microsoft disclosed no such action for its users. Party line: No data was taken.
Facebook offers the most details on what happened: "After analyzing the compromised website where the attack originated, we found it was using a 'zero-day' (previously unseen) exploit to bypass the Java sandbox (built-in protections) to install the malware. We immediately reported the exploit to Oracle, and they confirmed our findings and provided a patch on February 1, 2013, that addresses this vulnerability".
My question: Who among the big companies discloses next? Surely these three aren't the only ones running Macs and Java.
Microsoft's full statement:
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.
This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks.
Matt Thomlinson
General Manager
Trustworthy Computing Security
Photo Credit: Jirsak/Shutterstock