A site for iPhone developers called iphonedevsdk.com was the hub for a Java Zero Day attack on Twitter, Facebook and Apple.
Investigators identified the site as having been the center of a “waterhole” attack, where users end up drawn to the site in question because of its content, according to a Bloomberg report.
Apple is the latest company to reveal it found malware on employees’ laptops, apparently delivered using those drive-by attacks. The methodology appears to be very similar to what Facebook revealed it had been subject to in January. Apple gave no time frame for when it ended up attacked, but, according to Bloomberg, Apple was the first to discover the attacks. Investigators said they suspected the attacks were the work of Eastern European criminals rather than any state-sponsored hacking group.
Apple said it had “identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple.”
Apple also released an update to its Java 6 in Mac OS X which completely removes Java plugin support and directs users to Oracle for their Java 7 and plugin support. Oracle, who released an emergency patch for 50 vulnerabilities on Feb. 1 – in what appears to have been a response to the Facebook and Apple attacks – has released an updated version of that emergency patch with a handful of critical holes also closed.