Late on Friday, Microsoft published a statement on its security blog revealing that it was joining the growing list of well-known companies who had suffered at the hands of hackers.
Microsoft says that a “small number of computers”, including some in the company’s Mac business unit, were infected by malware.
As reported by Facebook and Apple, Microsoft can confirm that we also recently experienced a similar security intrusion.
Consistent with our security response practices, we chose not to make a statement during the initial information gathering process. During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing.
This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries (see our prior analysis of emerging threat trends). We continually re-evaluate our security posture and deploy additional people, processes, and technologies as necessary to help prevent future unauthorized access to our networks.
If Microsoft is right, and the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability.
Simply visiting an infected webpage with a browser which had Java enabled would be enough to silently infect computers via a drive-by download.
If we have to say it once, twice or a thousand times – we’ll keep on saying it:
If you don’t need Java enabled in your browser, turn it off now
Because if you don’t, yours might be the next company having to make any uncomfortable announcement about a security breach.
Like Facebook before it, Microsoft chose to release the news on a Friday afternoon, west coast time.
Although some might view the timing of the disclosure cynically, and speculate that the bad news was released just before the weekend to limit its pick-up by the press, the good news is that Microsoft says it has found no evidence that any customer data was compromised as a consequence of the attack.
Let’s not forget who the real villains are in this story – it’s the criminal gangs who infected legitimate websites, and spread malware designed to steal information from unsuspecting computer users.
Knowing Microsoft, I am confident that they will be sharing information with the authorities and doing everything they can to ensure that the culprits are brough to justice.
If you haven’t already done so, patch your computers and consider running anti-virus software on your Macs as well as your PCs. Clearly some of the bad guys are targeting Mac OS X, knowing that many “cool” developers prefer to write their software on shiny Apple hardware as well as dull beige PCs.
Sophos has a free Mac anti-virus for home users if you want to give it a whirl.
Microsoft image from Shutterstock.