FORTUNE — “Java’s not worth building in,” Steve Jobs told the
New York Times
‘ John Markoff in 2007. “Nobody uses Java anymore. It’s this big heavyweight ball and chain.”
On Tuesday, with foreign hacker attacks on U.S. institutions making headline news, the company acknowledged that some of its employees’ Macs had also been breached. The culprit: Malware exploiting a known vulnerability in the Java plug-in for Apple Web browsers.
Like Adobe’s (ADBE) Flash, another programming environment that Steve Jobs hated, Java plug-ins have long been a rich target of opportunity for malicious hackers. No matter how air-tight a computer’s operating system, it can’t close all the holes in a third-party add-on.
That’s why Apple in 2010 started shipping computers without Java plug-ins installed. If users wanted to expose themselves to those vulnerabilities, they would have to actively seek out the necessary plug-in and turn it on. As a further security measure, the latest version of OS X disables the plug-ins if they haven’t been used in 35 days.
By 8 p.m. Tuesday, Apple had released a software update that removes the offending code. To run Java applets on a Web page, users who update will have to click on a “Missing plug-in” button and download the latest version from Oracle.
Apple told journalists that it only a small number of its in-house systems were infected and that there was no evidence that any data left its headquarters.
According to Bloomberg, FBI and Secret Service experts have traced the attack — which affected as many as 40 U.S. companies — to an Eastern European website that caters to developers.