Microsoft coughs to Java exploit breach

February 25, 2013 // 10:41 a.m.

Tags: #0-day #apple #exploit #facebook #java #microsoft #oracle #security #twitter #vulnerability #watering-hole-attack #zero-day

Microsoft has confessed that its staff have fallen victim to a Java-based exploit that has also claimed Facebook and Apple in a string of high-profile intrusions - but, as with the other organisations, claims its customers' data is safe.

Microsoft's announcement is the latest in a string of high-profile targets for a particularly successful 'watering hole' attack, where a malicious Java file was served by a seemingly trustworthy site aimed at developers working on apps for Apple's iOS mobile operating system. This file secretly installed a back-door in the security of the systems without the users' knowledge, using a since-patched flaw in Oracle's Java Virtual Machine (JVM) - and failed to be stopped by security systems built into the operating system or anti-virus packages.

Twitter was one of the first high-profile site to fall victim to the attack, confessing that 'limited user information - usernames, email addresses, session tokens and encrypted/salted versions of passwords - for approximately 250,000 users' had been accessed during the attack. This was soon followed by similar reports from Facebook and Apple, both of whom were quick to claim that no customer information had been put at risk as a result of the infection.

'Consistent with our security response practices, we chose not to make a statement during the initial information gathering process,' Microsoft's Matt Thomlinson, general manager of the company's Trustworthy Computer Security division, offers as explanation for why his company has waited until now to announce the attack. 'During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organisations. We have no evidence of customer data being affected and our investigation is ongoing.'

The flaw used in the watering hole attack, which specifically sought out iOS developers, was patched by Microsoft back in January along with Oracle itself, while Apple has only recently released an OS X patch to resolve the same issue.
Discuss this in the forums

QUICK COMMENT

SUBSCRIBE TO OUR NEWSLETTER

WEEK IN REVIEW

TOP STORIES

SUGGESTED FOR YOU