Microsoft on Tuesday warned that a group of hackers linked to attacks on the Democratic National Committee had exploited a vulnerability in all Windows PCs that it would not be able to fully mend for another week.
周二,微軟(Microsoft)警告稱,一群與美國民主黨全國委員會(Democratic National Committee)受到的攻擊有關(guān)的黑客,已對所有Windows系統(tǒng)個人電腦上的一個漏洞加以利用,而該漏洞還需要一周時間才能被完全修補。
The flaw was disclosed publicly on Monday by Google, provoking a sharp rebuke from Microsoft about the dangers of revealing flaws like this before fixes are available.
該漏洞是周一由谷歌(Google)公開披露的。谷歌此舉引發(fā)了微軟的強烈譴責,后者稱在發(fā)布補丁前就披露這樣的漏洞很危險。
Microsoft said the software flaw had been used by a group it calls Strontium, and which is known more widely as Fancy Bear. The group, which has been operating for nearly a decade, has been linked by security researchers to the Russian military and has been tied to a number of attacks on government, military and corporate systems. These include an assault on the DNC this year that is believed to have led to subsequent email leaks that have embarrassed the Democratic party in the run-up to the presidential election.
微軟表示,這一軟件漏洞已被一家它稱為“鍶”(Strontium)的組織利用。該組織更為人熟知的名字是Fancy Bear,迄今已運作了將近十年。安全研究人員認為,該組織與俄羅斯軍方有關(guān)聯(lián)。人們還認為,該組織與多起對政府、軍方和企業(yè)系統(tǒng)的網(wǎng)絡(luò)攻擊有關(guān),其中包括今年對美國民主黨全國委員會的一次攻擊。這次攻擊據(jù)信導(dǎo)致了隨后的電子郵件外泄,令民主黨(Democratic Party)在美國總統(tǒng)大選前夕狼狽不堪。
The flaw was uncovered by two security researchers at Google and notified to Microsoft on October 21. On Monday, when the software company had still not released a “patch” to repair its Windows operating system from attack, Google publicly announced the vulnerability.
該漏洞由谷歌的兩名安全研究人員發(fā)現(xiàn),谷歌在10月21日通知了微軟。周一,在微軟還未發(fā)布“補丁”修補其Windows操作系統(tǒng)以防范這一攻擊之際,谷歌就公開宣布了這一漏洞。
Terry Myerson, head of the Windows business, hit out at the internet company on Tuesday afternoon, suggesting that it had not shown “responsible technology industry participation”. Disclosing a so-called “zero-day” exploit before it has been repaired alerts other hackers to the flaw and can lead to more attacks on Windows PCs.
周二下午,微軟Windows業(yè)務(wù)主管特里•邁爾森(Terry Myerson)對谷歌發(fā)起猛烈抨擊,稱谷歌未表現(xiàn)出“負責任的科技業(yè)參與意識”。在一個所謂的“零日”漏洞被修補前就披露它,會提醒其他黑客注意該漏洞,這可能會引發(fā)對Windows系統(tǒng)個人電腦的更多攻擊。
“Google’s decision to disclose these vulnerabilities before patches are broadly available and tested is disappointing, and puts customers at increased risk,” Mr Myerson wrote in a blog post.
邁爾森在一篇博客文章中寫道:“谷歌決定在補丁被廣泛提供和測試前就披露這些漏洞,這令人失望,會將用戶置于更大的風險之中。”
Google defended its actions on Monday, saying it always published details of “critical vulnerabilities” seven days after it warns other software companies about them so that computer users will be aware of the danger.
谷歌則為其周一采取的行動進行了辯護,稱它總是會在就“關(guān)鍵漏洞”向其他軟件公司發(fā)出警告的七日后公布這些漏洞的細節(jié),以便讓電腦用戶能夠意識到其中的風險。
It said it had also warned Adobe about a flaw in its own Flash software which, used together with the Windows vulnerability, had enabled hackers to exploit machines. Adobe released a patch for its own product last Wednesday, less than a week after being warned about it.
谷歌表示,該公司還曾就Adobe Flash軟件中的一個漏洞向Adobe發(fā)出警告。該漏洞與Windows的那個漏洞結(jié)合起來,令黑客得以攻陷電腦。Adobe在上周三發(fā)布了對其自身產(chǎn)品漏洞的補丁,距該公司接到谷歌警告還不到一周時間。
Anyone using Microsoft’s new Edge browser, which is included in Windows 10, should be protected, the company said. But other versions of Windows will be exposed until at least November 8, the date when Microsoft said it planned to release a patch to solve the problem.
微軟表示,任何使用微軟新的Edge瀏覽器(該瀏覽器被包含在Windows 10系統(tǒng)中)的用戶應(yīng)該不會受到攻擊。不過,其他版本的Windows至少在11月8日前會面臨受攻擊的風險。微軟表示,它計劃在11月8日發(fā)布補丁解決這個問題。