中國黑客攻破蘋果Safari瀏覽器

來自中國安全研究團(tuán)隊(duì)Keen Team在上周的黑客大賽中攻克了公認(rèn)最安全的蘋果瀏覽器Safari，贏得了4萬美元的獎(jiǎng)金。團(tuán)隊(duì)成員表示，其中部分獎(jiǎng)金將捐獻(xiàn)出來，救助馬航失聯(lián)客機(jī)MH370乘客的家屬。

Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash。

上周舉行的Pwn2Own黑客大賽中，所有網(wǎng)絡(luò)軟件包括蘋果(Apple)Safari瀏覽器、谷歌(Google)Chrome瀏覽器、微軟 (Microsoft)的IE瀏覽器、Mozilla公司的火狐瀏覽器(Firefox)，以及Adobe公司的PDF閱讀器(Adobe Reader)及瀏覽器插件Adobe Flash都被黑客徹底攻破。

Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines。

法國安全公司Vupen利用一個(gè)Use-After-Free 漏洞攻破了Chrome瀏覽器。這個(gè)漏洞對(duì)兩種瀏覽器內(nèi)核WebKit及Blink都有影響。

Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect。

來自中國安全研究團(tuán)隊(duì)Keen Team的陳良利用一個(gè)堆溢出及沙箱繞過組合攻破了蘋果的Safari瀏覽器。這個(gè)團(tuán)隊(duì)共用了三個(gè)月時(shí)間來完善這個(gè)組合。

"For Apple, the OS is regarded as very safe and has a very good security architecture," Chen told ThreatPost's Michael Mimoso. "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems."

“蘋果的OS操作系統(tǒng)被認(rèn)為是非常安全的，具備非常好的安全架構(gòu)，”陳良告訴安全信息網(wǎng)站ThreatPost的邁克爾 米莫蘇說。“即使它有漏洞，也很難被攻破。今天我們證明，利用一些先進(jìn)技術(shù)，OS操作系統(tǒng)還是可以被攻破。但總體來說，這個(gè)系統(tǒng)的安全性要高于所有其它操作系統(tǒng)。”

Keen Team的陳良(右)正展示Adobe Flash漏洞利用

In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS。

在接受CNET科技資訊網(wǎng)的單獨(dú)采訪時(shí)，陳良說道，OS X系統(tǒng)比iOS 7.0更難攻破，因?yàn)樘O果為桌面操作系統(tǒng)提供的安全更新比為移動(dòng)操作系統(tǒng)提供的更為頻繁。

The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes。

由惠普公司(Hewlett-Packard)贊助、惠普零日計(jì)劃(Zero-Day Initiative)組織的Pwn2Own黑客大賽為期兩天，共為八個(gè)參賽團(tuán)隊(duì)提供了85萬美元的總獎(jiǎng)金，并為慈善機(jī)構(gòu)捐出了8.25萬美元善款。除參賽團(tuán)隊(duì)外，參加這次活動(dòng)的還有許許多多來自蘋果及其它公司的觀察員，他們將在大賽結(jié)束后著手修補(bǔ)這些安全漏洞。

"I think the Webkit fix will be relatively easy," Chen told Mimoso. "The system-level vulnerability is related to how they designed the application; it may be more difficult for them."

“我認(rèn)為Webkit漏洞比較容易修復(fù)，”陳良告訴米莫蘇。“而系統(tǒng)級(jí)別的漏洞與程序設(shè)計(jì)相關(guān)，因此可能更難修復(fù)。”