iPhoneDevSDK, an online forum for software developers, may be a source of malware infecting Apple software engineers' Macs, as well as machines at Twitter, Facebook, and hundreds of other companies, according to the New York Times. The malware was delivered via an exploit in the Java browser plug-in -- somewhat ironic, given that Apple recently (and unceremoniously) shut down Java 7 on its Mac customers' machines. Apple has since released updated versions of Java for OS X, as reported by Mac Rumors.
Apple said in a statement today that it had identified "a small number of systems" within the company "that were infected and isolated them from our network." The company added that "there is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware."
According to Reuters, "the same software, which infected Macs by exploiting a flaw in a version of Oracle Corp.'s Java software used as a plug-in on Web browsers was used to launch attacks against Facebook, which the social network disclosed on Friday."
Neither Apple nor Facebook has gone on record as to the source of the malware, beyond vaguely alluding to "a website for software developers." Citing "a person with knowledge of Facebook's investigation," the New York Times Bits blog identified the compromised site as iPhoneDevSDK.
Apple's freshly released Java update is aimed at systems that have not already installed Java for Mac OS X 10.6 update 9 or later. According to Apple, "it will configure Web browsers to not automatically run Java applets. Java applets may be re-enabled by clicking the region labeled 'Inactive plug-in' on a Web page. If no applets have been run for an extended period of time, the Java Web plug-in will deactivate."
There are two packages available through Apple's site: one for Snow Leopard and one for Lion or Mountain Lion.
The news comes on the heels of Apple's decision to silently block the latest version of Java 7 from running on OS X 10.6 Snow Leopard or higher via its XProtect antimalware tool, back on Feb. 1 -- the day Twitter acknowledged it has been hacked. The company didn't issue an official statement at the time for the change, but it was likely because the company had deemed Oracle's most recent update to Java insecure. That's why the company stealthily disabled Java on Macs back on Jan. 10, the same day a Java vulnerability was being exploited in the wild.
This story, "Apple rolls out update for Java on Macs in wake of malware outbreak," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.