Facebook briefly compromised in 'sophisticated' Java exploit
Attackers were able to infect some machines of Facebook employees in a sophisticated attack, the social networking giant admitted late last week. "This attack occurred when a handful of employees visited a mobile developer website that was compromised," and which was apparently seeded with a malware that leveraged a previously unknown flaw in the Java plug-in to infect the machines.
The compromised laptops were "fully-patched and running up-to-date anti-virus software," says Facebook (NASDAQ: FB). Facebook Chief Security Officer Joe Sullivan elaborated that the attack was injected into the site's HTML, meaning that any Facebook engineer who visited the site and had Java enabled in their browser would have been affected. This will take place regardless of "how patched their machine was."
In terms of Java as a potential security weakness, Facebook told Ars Technica that it has already started an initiative to reduce its dependency on products that require the use of Java plug-ins. Sullivan does concede that "It's hard to do" however, due to the "many" enterprise applications that require it. Ultimately, Sullivan does not peg the blame on Java alone, but sums it up this way: "If it wasn't a Java plugin vulnerability, it could have been another."
- check out this article at eWeek