bit-tech.net

Microsoft coughs to Java exploit breach

Microsoft coughs to Java exploit breach

The same flaw in Oracle's Java software that brought Twitter, Facebook and Apple low has been confirmed as having resulted in a breach at Microsoft.

Microsoft has confessed that its staff have fallen victim to a Java-based exploit that has also claimed Facebook and Apple in a string of high-profile intrusions - but, as with the other organisations, claims its customers' data is safe.

Microsoft's announcement is the latest in a string of high-profile targets for a particularly successful 'watering hole' attack, where a malicious Java file was served by a seemingly trustworthy site aimed at developers working on apps for Apple's iOS mobile operating system. This file secretly installed a back-door in the security of the systems without the users' knowledge, using a since-patched flaw in Oracle's Java Virtual Machine (JVM) - and failed to be stopped by security systems built into the operating system or anti-virus packages.

Twitter was one of the first high-profile site to fall victim to the attack, confessing that 'limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users' had been accessed during the attack. This was soon followed by similar reports from Facebook and Apple, both of whom were quick to claim that no customer information had been put at risk as a result of the infection.

'Consistent with our security response practices, we chose not to make a statement during the initial information gathering process,' Microsoft's Matt Thomlinson, general manager of the company's Trustworthy Computer Security division, offers as explanation for why his company has waited until now to announce the attack. 'During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations. We have no evidence of customer data being affected and our investigation is ongoing.'

The flaw used in the watering hole attack, which specifically sought out iOS developers, was patched by Microsoft back in January along with Oracle itself, while Apple has only recently released an OS X patch to resolve the same issue.

1 Comment

Discuss in the forums Reply
Marquee 25th February 2013, 15:25 Quote
Is it just me or is no one taking these guys are serious as they should be.
http://www.youtube.com/watch?NR=1&v=xA4it2ZTvIk&feature=endscreen
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums