The Java bug or bugs were exploited in "watering hole" attacks, where hackers identify their intended targets, compromise websites the targets frequently visit and plant malware on the sites. Like a lion waiting at a watering hole for unwary wildebeests, the exploits wait for unsuspecting users.
Presumably, Apple employees who visited the compromised website did so before Apple or Oracle issued their emergency Java updates two weeks ago, or perhaps even earlier, prior to Oracle's Jan. 13 "out-of-band" update that patched a different set of bugs.
In its Tuesday statement, Apple also reminded customers that it does not bundle Java with Lion or Mountain Lion, and that it added a security feature to OS X in April which automatically disables Java if the software has not been used in the last 35 days. The latter was one of several Apple responses to a massive round of infections in the spring of 2012 by the Flashback malware, which compromised hundreds of thousands of Macs worldwide.
The company's comments were odd, as neither measure was sufficient to stop Apple's own Macs from being hacked, probably because the engineers required Java for their work and used the software frequently.
Sign up for Computerworld eNewsletters.