Apple hit by hackers who targeted Facebook last week

Which web site was compromised? Several reports point to "a website for mobile software developers" as "the waterhole". Is it the apple ios dev center? The android sdk site? HN?<p>I'd be very interested in knowing if myself or coworkers may have been exposed (or in the best case, which waterhole website I've been missing out on)

I see a lot of people bagging on Java but I think the real problem are the browsers. Java is the one being used in this attack but next time it could be Flash or Acrobat or any other plugin or even 3rd party Javascript scripts. The default behavior of browsers should be similar to flash-block, Ghosterly and other similar plugins: the plugin only runs when the user requests it by acknowledging the source and hitting a "play" button inside the page. No auto-loaded code should ever run.

A minor point - Facebook wasn't targeted last week, they were targeted in January and it was reported last week. The timeline is important if we're going to be linking these together. I didn't see hack date info in the Reuters piece, did I miss it or was it not included?

In other news, "Windows laptop gets compromised, media responds 'And your point is?...'"<p>It would be nice if the attack vector were the main focus of the article, but how much publicity would "Java plugin allows Facebook and Apple to be hacked." get.<p>Here's some perspective: <a href="http://www.qualys.com/research/top10/" rel="nofollow">http://www.qualys.com/research/top10/</a><p>Also here's their site where you can check your current config: <a href="https://browsercheck.qualys.com/" rel="nofollow">https://browsercheck.qualys.com/</a>

Which websites are they talking about? Also, which browsers are infected (Chrome only or Safari, Chrome, Firefox etc)?

How do they <i>know</i> it's the same hackers? If they are only assuming they should state so.

The authors of this piece try to make it out like it's Apple that's now become a security risk, when this hack is really Java's fault. It makes you wonder if Oracle is entirely up to the responsibility that comes along with inheriting the entire Java-sphere.

Looks like the "Write Once, Run Anywhere" Java mantra is true for malware too. Pretty much any run-of-the-mill Windows PC, Mac or Linux machine is vulnerable to this.<p><a href="http://en.wikipedia.org/wiki/Write_once,_run_anywhere" rel="nofollow">http://en.wikipedia.org/wiki/Write_once,_run_anywhere</a>

I find this a bit concerning not because Apple was hit, but because getting hit by some Java-malware necessitates a public statement. Anyone here in an organization of more than about 10 users likely has one or more of them with malware of some sort on their device right now, and it is treated as just the cost of the platform. In my organization I'm sort of the paranoid in that I treat every exposure as a serious event, but I am very much alone on that.

&#62;only a small number of its employees' Macintosh computers were breached, but "there was no evidence that any data left Apple."<p>Looks like Apple is worried more about leaks of their unreleased products. I would be more worried about data entering Apple, whether any websites were injected with malware or, in a much more unlikely scenario, malicious code being in injected into OS code or apps.

The sooner Google and Mozilla make Click-to-Run the default, the sooner more clueless people will be safer.