※ 引述《kouta (ΦωΦ)》之銘言:
統整一下蘋果說了啥
First, the sophisticated attack was narrowly focused, not a broad-based exploit
of iPhones “en masse” as described. The attack affected fewer than a dozen
websites that focus on content related to the Uighur community. Regardless of
the scale of the attack, we take the safety and security of all users extremely
seriously.
一、蘋果判斷此攻擊「只」針對十幾個維吾爾族社群。
Second, all evidence indicates that these website attacks were only operational
for a brief period, roughly two months, not “two years” as Google implies.
We fixed the vulnerabilities in question in February — working extremely
quickly to resolve the issue just 10 days after we learned about it. When
Google approached us, we were already in the process of fixing the exploited
bugs.
二、蘋果判斷此攻擊只「運作」「短暫的」兩個月。
喔對了
Last week, Google published a blog about vulnerabilities that Apple fixed for
iOS users in February. We’ve heard from customers who were concerned by some
of the claims, and we want to make sure all of our customers have the facts.
蘋果說Google刊登了一個漏洞,但實際上這個漏洞並不是Google刊登的,
而是Project Zero刊登的,Project Zero是Google掛名贊助的0-day資安團隊,
完全獨立於Google營運團隊外部,執行內容是找出所有平台的0-day漏洞,
去年讓全世界震驚的meltdown就是他們找出來的。
Project Zero會通知找出漏洞的軟硬體廠商,等到廠商洞補好了,或六個月後才會
將詳細資訊公開,目的是為了防堵同樣的洞在其他廠商身上發生。
所以你可以看到,Project Zero公布的資訊絕對不會是蘋果所說
「iOS有個長達兩年可以攻擊你的漏洞」來的如此簡單。
Project Zero這次公布了五個chain,涵蓋範圍從iOS 10.0.1到iOS 12.1.2,
單純看到這裡,你就會知道某K所說的「這漏洞只有兩個月」有問題,
連蘋果的原文都只敢說"only operational for a brief period"。