Sophos Cloud Optix
Late on Friday, Microsoft published a statement on its security blog revealing that it was joining the growing list of well-known companies who had suffered at the hands of hackers.
Microsoft says that a “small number of computers”, including some in the company’s Mac business unit, were infected by malware.
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.
This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks.
If Microsoft is right, and the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability.
Simply visiting an infected webpage with a browser which had Java enabled would be enough to silently infect computers via a drive-by download.
If we have to say it once, twice or a thousand times – we’ll keep on saying it:
If you don’t need Java enabled in your browser, turn it off now
Because if you don’t, yours might be the next company having to make any uncomfortable announcement about a security breach.
Like Facebook before it, Microsoft chose to release the news on a Friday afternoon, west coast time.
Although some might view the timing of the disclosure cynically, and speculate that the bad news was released just before the weekend to limit its pick-up by the press, the good news is that Microsoft says it has found no evidence that any customer data was compromised as a consequence of the attack.
Let’s not forget who the real villains are in this story – it’s the criminal gangs who infected legitimate websites, and spread malware designed to steal information from unsuspecting computer users.
Knowing Microsoft, I am confident that they will be sharing information with the authorities and doing everything they can to ensure that the culprits are brough to justice.
If you haven’t already done so, patch your computers and consider running anti-virus software on your Macs as well as your PCs. Clearly some of the bad guys are targeting Mac OS X, knowing that many “cool” developers prefer to write their software on shiny Apple hardware as well as dull beige PCs.
Sophos has a free Mac anti-virus for home users if you want to give it a whirl.
Microsoft image from Shutterstock.
Not until these organizations begin facing massive amounts of Civil & Class Action law-suits from end-users and just regular folk will any of them take these violations seriously.
Instead of allowing the manufactures of o/s's to simply take your money and put out another o/s, why not force them to spend the required time & funds in order to keep your personal data (and the data of those in your contact books & friend list) safe?
They are after all supposely some of the most brilliant minds on the planet! – ceiloazule
…er, exactly what organizations are you referring to? You seem to have some kind of special hatred for "manufactures of o/s's" (sic), by which I assume you mean manufacturers of operating systems (OSs). But this article identifies two OS manufacturers (Apple and Microsoft) who themselves were victims of the malware in question. So your "remedy" is to punish the victims? Wow.
Or do you want to punish Oracle, who now owns Java? But the problem isn't actually with Java itself, which is a system that runs Java apps just fine on its own. The problem is with the Java Applet Plugin, which runs in a browser. So I guess we should punish all the browser manufacturers too.
Your demand makes no sense. If you want to blame someone, blame the jerks who write the malware and are constantly conspiring to find new ways to create even more victims. Stop demanding that the state drain even more resources from the software manufacturers through punitive actions they don't deserve—actions that won't solve the problem. They're among the most qualified people to develop and implement the solutions that will help keep us all (including themselves) from further victimization by the bad guys.
I sympathise with Ceilo's comment.
I think his point was: why should we treat OS manufactures differently than we treat most manufactures? Example: car manufacturing, the industry must comply with safety regulations. Could we have some kind of regulation that would establish a minimum set of security requirements that an OS must comply with? Shouldn't these companies have some kind of liability when their products allow (due to unsafe design) users to be hacked?
There are plenty of decisions taken at design time that make an OS safer:
– personal information must always be stored encrypted
– personal data should always be transmitted encrypted.
– user-level applications should never be part of the OS
– etc.
I'm not suggesting these requirements would prevent all attacks, but they would certainly make attacks a lot harder to succeed.
Ceilo,
Try to prosecute someone in the Republic of Georgia, Sudan, Ethiopia, Saudi Arabia, Afghanistan, or any of a number of countries.
Why do we accept buggy software? Perhaps if people wouldn't buy software with so many bugs in it, than people wouldn't sell it.
Oh, and that Sophos for the Mac is very good. It detects the bad stuff, and lets you get rid of it. All for free! Great job Sophos.
Since when is Micro$oft products being easy to hack and prone to bugs news?