On February 15, 2013, Facebook announced a few of their employee laptops were targeted back in January in what the company has called a sophisticated attack. The press release stated a handful of employees visited a mobile developer website that had been compromised and, in turn, hosted an exploit which allowed malware to be installed on these laptops. February 19th and 22nd found Apple and Microsoft announcing they too were victims of this same attack.
An analysis of the occurrence revealed that a “zero-day” attack was used to bypass the Java sandbox in order to install malware. A zero-day attack is named as such because the developers of the exploited application have had zero days to address and patch the vulnerability. Facebook states that they confirmed their findings and provided a patch on February 1st to address the vulnerability. Facebook, Apple, and Microsoft all claim no end-user or customer data was compromised during the attack.
Even though reports of Java being compromised were hitting the internet as early as January 11th, Oracle, the company that develops Java software, did not announce a security patch for Java JDK and JRE 7 Update 10 and earlier until February 1, 2013. According to Oracle: “Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 “in the wild,” Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.”
These stories reinforce basic network and computer security practices. The number one way to mitigate cyber attacks is to patch your systems and add-ons. These attacks also illustrate that it is not just end-users who are vulnerable to these types of attacks, but corporations are just as vulnerable. Additionally, it should be pointed out that not only were PCs targeted in this attack, but the MAC OSX was also targeted.
For more information concerning the patch for Java CVE-2013-0422 you can visit www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html.