來自中國安全研究團隊Keen Team在上周的黑客大賽中攻克了公認最安全的蘋果瀏覽器Safari,贏得了4萬美元的獎金。團隊成員表示,其中部分獎金將捐獻出來,救助馬航失聯(lián)客機MH370乘客的家屬。
Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash。
上周舉行的Pwn2Own黑客大賽中,所有網(wǎng)絡軟件包括蘋果(Apple)Safari瀏覽器、谷歌(Google)Chrome瀏覽器、微軟 (Microsoft)的IE瀏覽器、Mozilla公司的火狐瀏覽器(Firefox),以及Adobe公司的PDF閱讀器(Adobe Reader)及瀏覽器插件Adobe Flash都被黑客徹底攻破。
Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines。
法國安全公司Vupen利用一個Use-After-Free 漏洞攻破了Chrome瀏覽器。這個漏洞對兩種瀏覽器內核WebKit及Blink都有影響。
Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect。
來自中國安全研究團隊Keen Team的陳良利用一個堆溢出及沙箱繞過組合攻破了蘋果的Safari瀏覽器。這個團隊共用了三個月時間來完善這個組合。
"For Apple, the OS is regarded as very safe and has a very good security architecture," Chen told ThreatPost's Michael Mimoso. "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems."
“蘋果的OS操作系統(tǒng)被認為是非常安全的,具備非常好的安全架構,”陳良告訴安全信息網(wǎng)站ThreatPost的邁克爾 米莫蘇說。“即使它有漏洞,也很難被攻破。今天我們證明,利用一些先進技術,OS操作系統(tǒng)還是可以被攻破。但總體來說,這個系統(tǒng)的安全性要高于所有其它操作系統(tǒng)。”
Keen Team的陳良(右)正展示Adobe Flash漏洞利用
In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS。
在接受CNET科技資訊網(wǎng)的單獨采訪時,陳良說道,OS X系統(tǒng)比iOS 7.0更難攻破,因為蘋果為桌面操作系統(tǒng)提供的安全更新比為移動操作系統(tǒng)提供的更為頻繁。
The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes。
由惠普公司(Hewlett-Packard)贊助、惠普零日計劃(Zero-Day Initiative)組織的Pwn2Own黑客大賽為期兩天,共為八個參賽團隊提供了85萬美元的總獎金,并為慈善機構捐出了8.25萬美元善款。除參賽團隊外,參加這次活動的還有許許多多來自蘋果及其它公司的觀察員,他們將在大賽結束后著手修補這些安全漏洞。
"I think the Webkit fix will be relatively easy," Chen told Mimoso. "The system-level vulnerability is related to how they designed the application; it may be more difficult for them."
“我認為Webkit漏洞比較容易修復,”陳良告訴米莫蘇。“而系統(tǒng)級別的漏洞與程序設計相關,因此可能更難修復。”