In a recent blog post, Matt Thomlinson, Microsoft's General Manager for Trustworthy Computing Security, stated that Microsoft was breached in a similar fashion to recent breaches at Apple and Facebook.
"Consistent with our security response practices, we chose not to make a statement during the initial information gathering process," Thomlinson wrote. "During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations. We have no evidence of customer data being affected and our investigation is ongoing."
"Thomlinson sought to reassure customers by claiming that Microsoft’s continual system of internal security evaluation means 'additional people, processes, and technologies' can be deployed if gaps are found, in order to prevent similar incursions in the future," writes The Register's Phil Muncaster. "The extent of the attack is still unclear, although some researchers are claiming hundreds of other companies may have had their Macs targeted in the same way."
"If Microsoft is right, and the attack is similar to those which impacted the likes of Facebook and Apple, then a key part of the attack was the exploitation of a Java browser plug-in vulnerability. ... If we have to say it once, twice or a thousand times -- we'll keep on saying it: If you don't need Java enabled in your browser, turn it off now," writes Sophos' Graham Cluley.