※ 引述《kouta (ΦωΦ)》之铭言:
统整一下苹果说了啥
First, the sophisticated attack was narrowly focused, not a broad-based exploit
of iPhones “en masse” as described. The attack affected fewer than a dozen
websites that focus on content related to the Uighur community. Regardless of
the scale of the attack, we take the safety and security of all users extremely
seriously.
一、苹果判断此攻击“只”针对十几个维吾尔族社群。
Second, all evidence indicates that these website attacks were only operational
for a brief period, roughly two months, not “two years” as Google implies.
We fixed the vulnerabilities in question in February — working extremely
quickly to resolve the issue just 10 days after we learned about it. When
Google approached us, we were already in the process of fixing the exploited
bugs.
二、苹果判断此攻击只“运作”“短暂的”两个月。
喔对了
Last week, Google published a blog about vulnerabilities that Apple fixed for
iOS users in February. We’ve heard from customers who were concerned by some
of the claims, and we want to make sure all of our customers have the facts.
苹果说Google刊登了一个漏洞,但实际上这个漏洞并不是Google刊登的,
而是Project Zero刊登的,Project Zero是Google挂名赞助的0-day资安团队,
完全独立于Google营运团队外部,执行内容是找出所有平台的0-day漏洞,
去年让全世界震惊的meltdown就是他们找出来的。
Project Zero会通知找出漏洞的软硬件厂商,等到厂商洞补好了,或六个月后才会
将详细资讯公开,目的是为了防堵同样的洞在其他厂商身上发生。
所以你可以看到,Project Zero公布的资讯绝对不会是苹果所说
“iOS有个长达两年可以攻击你的漏洞”来的如此简单。
Project Zero这次公布了五个chain,涵盖范围从iOS 10.0.1到iOS 12.1.2,
单纯看到这里,你就会知道某K所说的“这漏洞只有两个月”有问题,
连苹果的原文都只敢说"only operational for a brief period"。