That can imply that Macs are being used elsewhere in Microsoft apart from the Mac Business Unit. The malware was hosted on an iPhone dev site, and Microsoft has a lot of iPhone app development going on with Bing, Photosynth, Xbox etc. which are not part of the Mac Business Unit.

The computers hacked at Facebook were Macs. (Facebook devs pretty much use Macs exclusively). The ones at Apple were pretty obviously Macs. So the implied assumption in the absence of concrete information is that it was pretty much all Macs even at Microsoft targeted by this particular hack(although the exploit itself was cross platform).

"including some in our Mac business unit"

That doesn't necessarily mean they were macs, it just means they were computers in the Mac business unit. Still, they may have been macs.

Also notice how none of their Linux pcs got hacked?

Yes, it was just the macs. The attack vector was a Java vulnerability, but the payload is always OS specific. Some attacks have been known to serve different payload after sensing the OS. But not this one. This payload was Mac specific, and Mac computers were the only one affected.

Coincidentally, the Java vulnerability exploited in the attack had been patched by Oracle several weeks before. But the vulnerability was still in the Apple maintained Java 6 (Apple still maintains their own Java 6 until EOLed - Oracle has only committed to maintain Java 7 on OS X).

This is all Macs and all Apple.

Not sure where you got that. The claim is that Macs don't get virus', and don't need virus protection unless you have PC's on your subnet or interact with PC's, in which case, to protect the Windows machines, you may have to cripple Macs with AV software. It's actually quite anathema. If only Windows wasn't broken...

Isn't Insightful what people get for making jokes? It always seemed that way.

I don't know about you, but the rest of us realized that was all sarcasm and that saying anything was immune was stupid.

I got into a bit of a flame war back and forth with a guy when the Java vulnerability first appeared. He said it would only affect PCs since viruses don't work on Mac or Linux. I called bs he responded with "they use different filesystems, learn something before spewing off at the mouth." To which I replied: 1) this is a browser based attack and 2) do you think a hacker can't figure out /home/bob rather than \Users\bob? My God the things people come up with. All three platforms now have a request for elevation kind of mechanism that is supposed to protect you. The problem is for 90% of users a UNC prompt or its mac/linux equivalent pops up and they click ok. To most users the fingers go in the ears as soon as you try to explain the risks and what is happening and they just ask "So what do I need to click to continue?" This is more a mental problem then a technological one and I don't see any likely solution. Sandboxing like Win 8 Modern can help where you at least in theory make no app able to see each other directly or even the whole of the filesystem but there are just too many use cases where being able to browse all the filesystem, one app needs to get something from anothers space etc that are needed.

The malware on android (which is not the same as Linux) is from side-loading apps that people download to their phones from who-knows-where and installs them themselves. It's not the result of some drive-by download or OS exploit.

Oh sure. Everything that has been said about Macs and Linux still stands.

Now we all knew Java was riddled with holes. That too still stands.
Macs and Linux just happen to be able to run Java.

Or a less evil way of thinking about it is that MS didn't want to say "yeah we have the problem too" without pointing out that it isn't just them having the problem but it is Apple products too. Keep in mind every time a company discloses things they lose control over how it will be presented. If their statement doesn't include that it is Apple hardware/software too (or at least implies that it might have been) what might end up as the head line is "MS hacked" with no mention of Apple at all leaving MS looking like crap and a lot of people that don't give to turds about OS X saying "man when will MS learn". It could be evil (might even likely be evil) trying to deflect the blame but it can be the opposite too making sure you don't get tainted with all the blame for something that is a common problem.

Then, O great wise one, tell us what we do not know about networking and TCP/IP to where we can't see through the BS

You fool! You've invoked APK! Woe! Woe unto all of us!

zombie boxen in foreign countries

proxies in foreign countries

Un-named Government official said..."china attacked the..."

For Profit CEO of XYZ Anti-Virus said... "china attacked the..."

For profit security team said..."china attacked the.."

When is the last time you saw the NYTimes, sfgate, boston, the herald, or any of these fake mainstream journalists talk about packet sequencing in depth? Or the NSA fios splitters, or iptables rules or pf rules or anything at all in depth about proxies, zombies, or tor?

How often to they talk about managed security?

The lies year after year about geopolitics. yellow cake, WMD, bla fuckin bla. How come they didn't go back an destroy the source of the lies?

How well have they explained anyone can make an anonymous message/video. (anyone can call themselves a member of anonymous, ain't like there's a list of members)

How well have they explained anyone can take over a zombie box in a foreign country and make it look like that country is attacking others.

Who's the one who really released stuxnet? And why didn't the so-called news, make it clear that it had to be HAND CARRIED in, instead they make it sound like the most dangerous scada shit is connected to nukes for fuck sake. A complete deception on people that can't see through the bullshit, at the same time it protects the fascist SCADA whiners from hiring a real fucking person to TURN that knob, open that valve, or manually do the job the SCADA lets them lazily sit in their warm truck seats in the winter.

You can't pull the wool over the eyes electronics techs, and programmers who actually do this shit. Some sell out and go with the establishment flow. If you can blame China, then you are going to sell a lot of shit.

Other's like Kasper openly call for internet ID

I'm not that fucking wise, but I am adept to electronics, and programming. I know what the fuck happens when you put 5v on pin #32 on zilog chip bla, or motorola, or TI, or NCE, or.... analog devices, discreet, sensors, uP's, cmos, mosfet, I have every fucking set of tech books motorola put out since the BROWN ones. I have intel, zillog, amd, etc.

I don't care which programming language something is in, if it get's the job done, I'll learn or master it.

SO when I see network security played off as geopolitics yes I have a big fucking problem.

I don't give a fuck who you are, one day some bad shit will happen with your network. But you don't go broadcasting your whining that IRAQ or IRAN did it on pro establishment news. Remember the little boy who cried wolf.

When the wolf finally came for real, NOBODY cared. That's the danger.

Furthermore, a lot of these organizations security is complete fucking bullshit, an after thought.

No; bullshit. There is a whole load of security stuff that could have protected against that. The SELinux stuff that came from the NSA, that RedHat has been working on for years; that is present in Fedora; is exactly what could protect against this kind of user level stuff. There was a choice made by a number of computer manufacturers to put in ease of use without thinking through how to do that securely. Apple and Microsoft both, together, chose to push out alternative more secure solutions by trying to fool the users into thinking things could be easier. Without click to install there could never have been email viruses (did you youth know that we used to think these were an impossible joke). Even today, iOS, Android, Bada, BB(?) and Windows Phone come with fixed app permissions which don't allow you to reduce privilages. This is a choice of convenience over security, yet again.

Anyway; stupid article. I don't know if Microsoft did it for legal reasons, however no matter what, coming clean about a security breach is not something to be criticised. Well done Google, Apple and Microsoft. Shame on the ones who haven't yet discovered or admitted to it. Now you have admitted you have a problem start to give the users the ability to secure their own systems.

The core truth doesn't matter, it's all about appearances.

Put yourself in the shoes of a PHB (I know, i know... it's only temporary) - what would your take be?

By the same token, a huge section of "Windows Malware" also has nothing to do with Windows Security. Yet we see hundreds of modded up posts on Slashdot bashing Microsoft over it regularly, yet Apple seems to be getting a free pass just like Android.

Just so we're all on the same page, when computers get infected with malware it is not the fault of the OS, it is the fault of the third-party software, right? It seems like I heard a different tune when people were talking about Windows machines getting infected through third-party software.

Well something like 80% of BSOD issues were driver based (talk from a while back in XP days) but that didn't stop MS from getting the blame. A company can encourage other vendors to make good stuff but they can't force customers to apply the blame correctly when 3rd parties fail. It is fair game for MS to say "we've been hacked and yeah our Macs got hacked too" if it is true. It is also in their best interest to make sure that their competitors get included in the sound bits about the problem (and the source of the problem too of course) so that they don't get stuck with all the blame.

Oracle should follow Apple and post the following statement in their web site: As you might imagine, we are upset at OS X for not being more hardy against such viruses, and even more upset with ourselves for not catching it. [apple.com]

If java on apple was the same as it is on linux or windows you would have an argument. Unfortunately the version of java on apple os's is not user upgradable. It comes as a part of your os patch and apple tends to take longer than you might think to push out the patches.

Apple still maintains Java 1.6 on Mac OS X. Also, this particular vulnerability was patched by Oracle weeks ago, and Apple only recently applied it to Mac OS X - the Monday after all the reports on compromised computers at Facebook, etc. Reminds me of what happened with Flashback last year, especially where everyone wants to put all the blame on Oracle, and none of it on Apple.

Just to be clear - while Oracle is the upstream maintainer and distributer of Java, Apple does repackage and release Java updates through the Mac OS supplied Software update process. Thus, Apple is culpable, especially given the fact that Oracle had a fix for this vulnerability upstream for a while. Once again, just like Flashback last year. I'm not saying it's all Apple's fault, but they do have part of the blame here as a downstream distributer and primary maintainer of the Mac OS X port of Java 6.

Anyone with a Linux server had information regarding these activities.

Look at your SSH logs, and you'll find 99.99999% of brute force attempts these days are coming from China.

One can argue the 'military' part of 'ZOMG CHINA!' is novel, but honestly, it's China. It doesn't take Netcraft to confirm who's behind the port marauding.

If the update causes the business to shutdown, then the business may go out of business before the "some extra work to fix bugs" can be completed against some third party proprietary application that the busness cannot fix....

So no. bosses that don't want push updates because "it can break our systems" are correct. Pushing the update could put the company out of business.

Depends how big the company is. If there are not enough code checks, hacking the developer box is eventually hacking the production database no matter how isolated the two are.