The hacks related to Apple involve a lot of complexities. Let's review the time line:
February 1st: Twitter's Director of Information Security, Bob Lord, posted "Keeping our users secure" on Twitter's blog. On a Friday. The weekend of the NFL's Super Bowl. Lord explained that Twitter had been hacked, and that 250,000 accounts have had their passwords reset as a result. Lord advised people to disable Java's browser plugin.
February 1st: The Department of Homeland Security's United States Computer Emergency Readiness Team (US-CERT) issues Alert (TA13-032A) warning of multiple vulnerabilities in Oracle Java.
February 1st: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier).
February 4th: Monday. We asked contacts at Apple: Based on Lord's post, we suspect a Mac payload, do you have any samples that you are allowed to share with us? The reply: "Twitter has not shared any samples with us."
February 7th: Oracle releases a critical patch update for Java (JRE 7 Update 11 and earlier) ahead of schedule because of "active exploitation in the wild" of one of the vulnerabilities addressed.
February 7th: Adobe published a security bulletin for Adobe Flash Player. From the bulletin: "Adobe is also aware of reports that CVE-2013-0634 is being exploited in the wild in attacks delivered via malicious Flash (SWF) content hosted on websites that target Flash Player in Firefox or Safari on the Macintosh platform…".
February 15th: Facebook's security team posted "Protecting People On Facebook" on its Page. On a Friday. Just before a three-day weekend in the United States. The security team explained that some Facebook employee "laptops" have been hacked via a Java exploit.
February 15th: Mac samples (bookdoors) are shared with an AV mailing list.
February 18th: our Helsinki-based Mac analyst, Brod, examines the bookdoors. We quickly determine that all of the related C&C's are sinkholed by The Shadowserver Foundation. Other recent Mac backdoors, targeting Uyghur people, have not been sinkholed in this manner. To us, this indicates that the backdoors are part of a law enforcement investigation. Knowing that Chief Security Officer Joe Sullivan is a former U.S. Attorney (federal prosecutor), we suspect a connection to Facebook.
February 19th: Reuters breaks the news that Apple employees were also hacked via a Java exploit. According to Reuters, "a person briefed on the case said that hundreds of companies, including defense contractors, had been infected with the same malicious software."
February 19th: Oracle releases a "special" critical patch update for Java (JRE 7 Update 13 and earlier) which includes all of the fixes from February 1st, " plus an additional five fixes which had been previously planned for delivery."
February 20th: Ian Sefferman, an administrator at iPhoneDevSDK writes that prior AllThingsD's article, "we had no knowledge of this breach and hadn't been contacted by Facebook, any other company, or any law enforcement about the potential breach."
Q: Adobe reported in the wild attacks on websites targeting Flash. Those attacks appear to be targeting defense contractors. Where are those watering holes located?
Q: How many companies were affected?
Q: How many unique connections have been made to Shadowserver's sinkhole?
Q: How long has this type of thing been going on? Apple began removing old versions of Java from Macs when people updated OS X in October 2012. Was that a proactive… or reactive decision? How many times has Apple been compromised?
Macs have something like a 15% market share in the real-world. Such market share equals a relatively low motivation for bad guys to develop bulk commoditized "malware as a service" which targets average Mac owning consumers. Folks who use Macs for home are as relatively secure today as they were yesterday, and as such, they probably have a reasonable sense of security.
But in the "developer world", Macs have a much higher percentage of market share. (In Silicon Valley we'd guesstimate it's probably the inverse of the real-world: 85%.) As such, there is relatively high motivation for bad guys to develop "sophisticated" attacks that incorporate Mac-based payloads. Folks who use their Macs for work should not have the same sense of security as home users. Clearly, work-based Macs are more of a target and expectations of security should scale to match the threat level.
Developers assuming a "15%" motivation of attack — aren't paranoid enough — and are operating with a false sense of security. It's time for businesses and organizations to reassess.
At the very least, developers and other professionals should segment work (with access to production back ends) and play into separate virtual machines if not separate hardware.
Edited: Added the February 19th link to Apple's update.