中國"傳奇"黑客攻破蘋果Safari

Everybody's Web software got "pwned" at the Pwn2Own hackers conference this week: Apple's (AAPL) Safari, Google's (GOOG) Chrome, Microsoft's (MSFT) Internet Explorer, Mozilla's Firefox and Adobe's (ADBE) Reader and Flash.

上週舉行的Pwn2Own黑客大賽中，所有網絡軟件包括蘋果（Apple）Safari瀏覽器、谷歌（Google）Chrome瀏覽器、微軟（Microsoft）的IE瀏覽器、Mozilla公司的火狐瀏覽器（Firefox），以及Adobe公司的PDF閱讀器（Adobe Reader）及瀏覽器插件Adobe Flash都被黑客徹底攻破。

Chrome was hacked by a French team from Vupen Security with a use-after-free vulnerability that affects both the WebKit and Blink rendering engines.

法國安全公司Vupen利用一個Use-After-Free 漏洞攻破了Chrome瀏覽器。這個漏洞對兩種瀏覽器內核WebKit及Blink都有影響。

Safari was defeated by Liang Chen, one of a pair Chinese Keen Team hackers, using a heap-overflow-and-sandbox-bypass combination that took three months to perfect.

來自中國安全研究團隊Keen Team的陳良利用一個堆溢出及沙箱繞過組合攻破了蘋果的Safari瀏覽器。這個團隊共用了三個月時間來完善這個組合。

"For Apple, the OS is regarded as very safe and has a very good security architecture," Chen told ThreatPost's Michael Mimoso. "Even if you have a vulnerability, it's very difficult to exploit. Today we demonstrated that with some advanced technology, the system is still able to be pwned. But in general, the security in OS X is higher than other operating systems."

“蘋果的OS操作系統被認爲是非常安全的，具備非常好的安全架構，”陳良告訴安全信息網站ThreatPost的邁克爾•米莫蘇說。“即使它有漏洞，也很難被攻破。今天我們證明，利用一些先進技術，OS操作系統還是可以被攻破。但總體來說，這個系統的安全性要高於所有其它操作系統。”

In a separate interview with CNET, Chen said that OS X is harder to attack than iOS 7.0 because Apple issues security updates for its desktop operating system more frequently than for its mobile OS.

在接受CNET科技資訊網的單獨採訪時，陳良說道，OS X系統比iOS 7.0更難攻破，因爲蘋果爲桌面操作系統提供的安全更新比爲移動操作系統提供的更爲頻繁。

The two-day event, sponsored by Hewlett-Packard (HPQ) and organized by the HP-owned Zero-Day Initiative, paid out $850,000 in prize money to eight teams of competitors, plus another $82,500 in charitable donations. The event was staffed by observers from Apple and the other companies, which will presumably now start patching those holes.

由惠普公司（Hewlett-Packard）贊助、惠普零日計劃（Zero-Day Initiative）組織的Pwn2Own黑客大賽爲期兩天，共爲八個參賽團隊提供了85萬美元的總獎金，併爲慈善機構捐出了8.25萬美元善款。除參賽團隊外，參加這次活動的還有許許多多來自蘋果及其它公司的觀察員，他們將在大賽結束後着手修補這些安全漏洞。

"I think the Webkit fix will be relatively easy," Chen told Mimoso. "The system-level vulnerability is related to how they designed the application; it may be more difficult for them."

“我認爲Webkit漏洞比較容易修復，”陳良告訴米莫蘇。“而系統級別的漏洞與程序設計相關，因此可能更難修復。”