Microsoft on Tuesday warned that a group of hackers linked to attacks on the Democratic National Committee had exploited a vulnerability in all Windows PCs that it would not be able to fully mend for another week.
周二,微軟(Microsoft)警告稱(chēng),一群與美國(guó)民主黨全國(guó)委員會(huì)(Democratic National Committee)受到的攻擊有關(guān)的黑客,已對(duì)所有Windows系統(tǒng)個(gè)人電腦上的一個(gè)漏洞加以利用,而該漏洞還需要一周時(shí)間才能被完全修補(bǔ)。
The flaw was disclosed publicly on Monday by Google, provoking a sharp rebuke from Microsoft about the dangers of revealing flaws like this before fixes are available.
該漏洞是周一由谷歌(Google)公開(kāi)披露的。谷歌此舉引發(fā)了微軟的強(qiáng)烈譴責(zé),后者稱(chēng)在發(fā)布補(bǔ)丁前就披露這樣的漏洞很危險(xiǎn)。
Microsoft said the software flaw had been used by a group it calls Strontium, and which is known more widely as Fancy Bear. The group, which has been operating for nearly a decade, has been linked by security researchers to the Russian military and has been tied to a number of attacks on government, military and corporate systems. These include an assault on the DNC this year that is believed to have led to subsequent email leaks that have embarrassed the Democratic party in the run-up to the presidential election.
微軟表示,這一軟件漏洞已被一家它稱(chēng)為“鍶”(Strontium)的組織利用。該組織更為人熟知的名字是Fancy Bear,迄今已運(yùn)作了將近十年。安全研究人員認(rèn)為,該組織與俄羅斯軍方有關(guān)聯(lián)。人們還認(rèn)為,該組織與多起對(duì)政府、軍方和企業(yè)系統(tǒng)的網(wǎng)絡(luò)攻擊有關(guān),其中包括今年對(duì)美國(guó)民主黨全國(guó)委員會(huì)的一次攻擊。這次攻擊據(jù)信導(dǎo)致了隨后的電子郵件外泄,令民主黨(Democratic Party)在美國(guó)總統(tǒng)大選前夕狼狽不堪。
The flaw was uncovered by two security researchers at Google and notified to Microsoft on October 21. On Monday, when the software company had still not released a “patch” to repair its Windows operating system from attack, Google publicly announced the vulnerability.
該漏洞由谷歌的兩名安全研究人員發(fā)現(xiàn),谷歌在10月21日通知了微軟。周一,在微軟還未發(fā)布“補(bǔ)丁”修補(bǔ)其Windows操作系統(tǒng)以防范這一攻擊之際,谷歌就公開(kāi)宣布了這一漏洞。
Terry Myerson, head of the Windows business, hit out at the internet company on Tuesday afternoon, suggesting that it had not shown “responsible technology industry participation”. Disclosing a so-called “zero-day” exploit before it has been repaired alerts other hackers to the flaw and can lead to more attacks on Windows PCs.
周二下午,微軟Windows業(yè)務(wù)主管特里•邁爾森(Terry Myerson)對(duì)谷歌發(fā)起猛烈抨擊,稱(chēng)谷歌未表現(xiàn)出“負(fù)責(zé)任的科技業(yè)參與意識(shí)”。在一個(gè)所謂的“零日”漏洞被修補(bǔ)前就披露它,會(huì)提醒其他黑客注意該漏洞,這可能會(huì)引發(fā)對(duì)Windows系統(tǒng)個(gè)人電腦的更多攻擊。
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Mr Myerson wrote in a blog post.
邁爾森在一篇博客文章中寫(xiě)道:“谷歌決定在補(bǔ)丁被廣泛提供和測(cè)試前就披露這些漏洞,這令人失望,會(huì)將用戶(hù)置于更大的風(fēng)險(xiǎn)之中。”
Google defended its actions on Monday, saying it always published details of “critical vulnerabilities” seven days after it warns other software companies about them so that computer users will be aware of the danger.
谷歌則為其周一采取的行動(dòng)進(jìn)行了辯護(hù),稱(chēng)它總是會(huì)在就“關(guān)鍵漏洞”向其他軟件公司發(fā)出警告的七日后公布這些漏洞的細(xì)節(jié),以便讓電腦用戶(hù)能夠意識(shí)到其中的風(fēng)險(xiǎn)。
It said it had also warned Adobe about a flaw in its own Flash software which, used together with the Windows vulnerability, had enabled hackers to exploit machines. Adobe released a patch for its own product last Wednesday, less than a week after being warned about it.
谷歌表示,該公司還曾就Adobe Flash軟件中的一個(gè)漏洞向Adobe發(fā)出警告。該漏洞與Windows的那個(gè)漏洞結(jié)合起來(lái),令黑客得以攻陷電腦。Adobe在上周三發(fā)布了對(duì)其自身產(chǎn)品漏洞的補(bǔ)丁,距該公司接到谷歌警告還不到一周時(shí)間。
Anyone using Microsoft’s new Edge browser, which is included in Windows 10, should be protected, the company said. But other versions of Windows will be exposed until at least November 8, the date when Microsoft said it planned to release a patch to solve the problem.
微軟表示,任何使用微軟新的Edge瀏覽器(該瀏覽器被包含在Windows 10系統(tǒng)中)的用戶(hù)應(yīng)該不會(huì)受到攻擊。不過(guò),其他版本的Windows至少在11月8日前會(huì)面臨受攻擊的風(fēng)險(xiǎn)。微軟表示,它計(jì)劃在11月8日發(fā)布補(bǔ)丁解決這個(gè)問(wèn)題。