中国黑客攻破苹果Safari
Keen Team的陈良(右)正展示Adobe Flash漏洞利用
上周举行的Pwn2Own黑客大赛中,所有网络软件包括苹果(Apple)Safari浏览器、谷歌(Google)Chrome浏览器、微软(Microsoft)的IE浏览器、Mozilla公司的火狐浏览器(Firefox),以及Adobe公司的PDF阅读器(Adobe Reader)及浏览器插件Adobe Flash都被黑客彻底攻破。 法国安全公司Vupen利用一个Use-After-Free 漏洞攻破了Chrome浏览器。这个漏洞对两种浏览器内核WebKit及Blink都有影响。 来自中国安全研究团队Keen Team的陈良利用一个堆溢出及沙箱绕过组合攻破了苹果的Safari浏览器。这个团队共用了三个月时间来完善这个组合。 “苹果的OS操作系统被认为是非常安全的,具备非常好的安全架构,”陈良告诉安全信息网站ThreatPost的迈克尔•米莫苏说。“即使它有漏洞,也很难被攻破。今天我们证明,利用一些先进技术,OS操作系统还是可以被攻破。但总体来说,这个系统的安全性要高于所有其它操作系统。” 在接受CNET科技资讯网的单独采访时,陈良说道,OS X系统比iOS 7.0更难攻破,因为苹果为桌面操作系统提供的安全更新比为移动操作系统提供的更为频繁。 由惠普公司(Hewlett-Packard)赞助、惠普零日计划(Zero-Day Initiative)组织的Pwn2Own黑客大赛为期两天,共为八个参赛团队提供了85万美元的总奖金,并为慈善机构捐出了8.25万美元善款。除参赛团队外,参加这次活动的还有许许多多来自苹果及其它公司的观察员,他们将在大赛结束后着手修补这些安全漏洞。 “我认为Webkit漏洞比较容易修复,”陈良告诉米莫苏。“而系统级别的漏洞与程序设计相关,因此可能更难修复。”(财富中文网) 译者:朱毓芬/汪皓
|
Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash. Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines. Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect. "For Apple, the OS is regarded as very safe and has a very good security architecture," Chen told ThreatPost's Michael Mimoso. "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems." In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS. The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes. "I think the Webkit fix will be relatively easy," Chen told Mimoso. "The system-level vulnerability is related to how they designed the application; it may be more difficult for them."
|
最新文章