中國黑客攻破蘋果Safari
????Keen Team的陳良(右)正展示Adobe Flash漏洞利用
|
????上周舉行的Pwn2Own黑客大賽中,所有網絡軟件包括蘋果(Apple)Safari瀏覽器、谷歌(Google)Chrome瀏覽器、微軟(Microsoft)的IE瀏覽器、Mozilla公司的火狐瀏覽器(Firefox),以及Adobe公司的PDF閱讀器(Adobe Reader)及瀏覽器插件Adobe Flash都被黑客徹底攻破。 ????法國安全公司Vupen利用一個Use-After-Free 漏洞攻破了Chrome瀏覽器。這個漏洞對兩種瀏覽器內核WebKit及Blink都有影響。 ????來自中國安全研究團隊Keen Team的陳良利用一個堆溢出及沙箱繞過組合攻破了蘋果的Safari瀏覽器。這個團隊共用了三個月時間來完善這個組合。 ????“蘋果的OS操作系統被認為是非常安全的,具備非常好的安全架構,”陳良告訴安全信息網站ThreatPost的邁克爾?米莫蘇說。“即使它有漏洞,也很難被攻破。今天我們證明,利用一些先進技術,OS操作系統還是可以被攻破。但總體來說,這個系統的安全性要高于所有其它操作系統。” ????在接受CNET科技資訊網的單獨采訪時,陳良說道,OS X系統比iOS 7.0更難攻破,因為蘋果為桌面操作系統提供的安全更新比為移動操作系統提供的更為頻繁。 ????由惠普公司(Hewlett-Packard)贊助、惠普零日計劃(Zero-Day Initiative)組織的Pwn2Own黑客大賽為期兩天,共為八個參賽團隊提供了85萬美元的總獎金,并為慈善機構捐出了8.25萬美元善款。除參賽團隊外,參加這次活動的還有許許多多來自蘋果及其它公司的觀察員,他們將在大賽結束后著手修補這些安全漏洞。 ????“我認為Webkit漏洞比較容易修復,”陳良告訴米莫蘇。“而系統級別的漏洞與程序設計相關,因此可能更難修復。”(財富中文網) ????譯者:朱毓芬/汪皓 ???? |
????Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash. ????Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines. ????Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect. ????"For Apple, the OS is regarded as very safe and has a very good security architecture," Chen told ThreatPost's Michael Mimoso. "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems." ????In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS. ????The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes. ????"I think the Webkit fix will be relatively easy," Chen told Mimoso. "The system-level vulnerability is related to how they designed the application; it may be more difficult for them." ???? |
最新文章