{"id":10052,"date":"2014-10-03T09:00:45","date_gmt":"2014-10-03T01:00:45","guid":{"rendered":"https:\/\/blog.trendmicro.com.tw\/?p=10052"},"modified":"2014-10-02T18:26:01","modified_gmt":"2014-10-02T10:26:01","slug":"2014-%e5%b9%b4%e6%88%aa%e8%87%b3%e7%9b%ae%e5%89%8d%e7%82%ba%e6%ad%a2%e8%b6%a8%e5%8b%a2%e7%a7%91%e6%8a%80%e5%b7%b2%e7%99%bc%e7%8f%be-14-%e5%80%8b%e9%87%8d%e5%a4%a7%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/blog.trendmicro.com.tw\/?p=10052","title":{"rendered":"2014 \u5e74\u622a\u81f3\u76ee\u524d\u70ba\u6b62\u8da8\u52e2\u79d1\u6280\u5df2\u767c\u73fe 14 \u500b\u91cd\u5927\u6f0f\u6d1e"},"content":{"rendered":"<p>\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT\u653b\u64ca\/\u76ee\u6a19\u653b\u64ca<\/a>\u7d93\u5e38\u5229\u7528\u6f0f\u6d1e\u4f86\u6697\u4e2d\u611f\u67d3\u96fb\u8166\u7cfb\u7d71\uff0c\u9019\u985e\u653b\u64ca\u4e0d\u4e00\u5b9a\u6703\u5229\u7528\u65b0\u767c\u73fe\u6216\u96f6\u6642\u5dee\u7684\u6f0f\u6d1e\uff0c\u4f8b\u5982 Internet Explorer \u7684 <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-2551\">CVE-2013-2551<\/a> \u6f0f\u6d1e\u5c31\u662f\u4e00\u500b\u5728 2014 \u5e74\u4ecd\u53d7\u5230\u653b\u64ca\u7684\u6f0f\u6d1e\u3002<\/p>\n<p>\u5118\u7ba1\u5982\u6b64\uff0c\u96f6\u6642\u5dee\u653b\u64ca\u4f9d\u7136\u662f\u4e00\u9805\u56b4\u91cd\u5a01\u8105\uff0c\u56e0\u70ba\u5b83\u5011\u6703\u8b93\u6240\u6709\u4eba\u90fd\u63aa\u624b\u4e0d\u53ca\uff0c\u5305\u62ec\u8cc7\u8a0a\u5b89\u5168\u5ee0\u5546\u5728\u5167\u3002\u96f6\u6642\u5dee\u6f0f\u6d1e\u6b63\u662f\u5229\u7528\u9019\u6bb5\u9632\u8b77\u7a7a\u7a97\u671f\uff0c\u56e0\u6b64\u5373\u4f7f\u662f\u52e4\u52de\u7684\u4f7f\u7528\u8005\u548c\u7cfb\u7d71\u7ba1\u7406\u54e1\u4e5f\u4e0d\u514d\u6703\u66b4\u9732\u65bc\u5a01\u8105\u7576\u4e2d\u3002<\/p>\n<p><strong><em>\u9632\u8b77\u7814\u7a76<\/em><\/strong><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u7684\u7522\u54c1\u5167\u542b\u4e00\u4e9b\u53ef\u89e3\u6c7a\u9019\u985e\u554f\u984c\u7684\u6280\u8853\uff0c\u5305\u62ec\u700f\u89bd\u5668\u6f0f\u6d1e\u9632\u8b77\u3001\u6587\u4ef6\u6f0f\u6d1e\u9632\u8b77\u4ee5\u53ca\u865b\u64ec\u4fee\u88dc\u3002\u9019\u4e9b\u6280\u8853\u90fd\u5df2\u6574\u5408\u5230\u6211\u5011\u7684\u6d88\u8cbb\u7aef\u53ca\u4f01\u696d\u7d1a\u7522\u54c1\u7576\u4e2d\u3002<\/p>\n<p>\u6b64\u5916\uff0c\u6211\u5011\u4e5f\u5229\u7528\u9019\u4e9b\u7522\u54c1\u6240\u56de\u5831\u7684\u6f0f\u6d1e\u8207\u6f0f\u6d1e\u653b\u64ca\u8a0a\u606f\u4f86\u5efa\u7acb\u4e00\u4e9b\u7d93\u9a57\u6cd5\u5247\uff0c\u9032\u800c\u9632\u7bc4\u5df2\u4fee\u88dc\u7684\u6f0f\u6d1e\u548c\u96f6\u6642\u5dee\u6f0f\u6d1e\u3002\u9019\u6a23\u7684\u4f5c\u6cd5\u5df2\u5c55\u73fe\u512a\u826f\u6210\u6548\u30022010 \u5e74\uff0c\u4e00\u4e9b<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/trend-micro-to-help-proactively-protect-against-zero-day-attacks-like-the-recent-ie-explorer-exploit\/\">\u5229\u7528 IE\u00a0\u6f0f\u6d1e\u4f86\u653b\u64ca Google<\/a> (<a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2010-0249\">CVE-2010-0249<\/a>) \u7684\u60e1\u610f\u7a0b\u5f0f\u6a23\u672c\u65e9\u5728\u6f0f\u6d1e\u88ab\u63ed\u9732\u4e4b\u524d\u6578\u661f\u671f\u524d\u5c31\u88ab\u6211\u5011\u9810\u5148\u6514\u622a\u3002\u5176\u4ed6\u985e\u4f3c\u7684\u6848\u4f8b\u9084\u6709\u5229\u7528 <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-5990\">CVE-2013-5990<\/a>\u3001<a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2013-3346\">CVE-2013-3346<\/a>\u3001<a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0496\">CVE-2014-0496<\/a> \u4ee5\u53ca <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1761\">CVE-2014-1761<\/a> \u7b49\u6f0f\u6d1e\u7684\u653b\u64ca\u3002<\/p>\n<p><strong><em>\u767c\u6398\u6f0f\u6d1e<\/em><\/strong><\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u6295\u5165\u4e86\u5927\u91cf\u7684\u4eba\u529b\u548c\u8cc7\u6e90\u4f86\u767c\u6398\u6f0f\u6d1e\u4ee5\u53ca\u76f8\u95dc\u7684\u96f6\u6642\u5dee\u653b\u64ca\uff0c\u9019\u65b9\u9762\u4e5f\u7372\u5f97\u4e86\u4e0d\u5c11\u6210\u679c\u30022014 \u5e74\u6211\u5011\u5728\u5404\u7a2e\u61c9\u7528\u7a0b\u5f0f\u7576\u4e2d\u7e3d\u5171\u767c\u73fe\u4e86 14 \u500b\u53ef\u80fd\u8b93\u99ed\u5ba2\u5f9e\u9060\u7aef\u57f7\u884c\u7a0b\u5f0f\u78bc\u7684\u6f0f\u6d1e\u3002\u5176\u4e2d\u5341\u500b\u662f <em>Internet Explorer<\/em> \u6f0f\u6d1e\uff0c\u5169\u500b\u662f <em>Adobe Flash Player<\/em> \u6f0f\u6d1e\uff0c\u53e6\u5916 \u00a0<em>Adobe Reader\/Acrobat<\/em> \u548c \u00a0<em>Java<\/em> \u4e5f\u5404\u6709\u4e00\u500b\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone\" src=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/files\/2014\/09\/vuln2014.png\" alt=\"2014 \u5e74\u622a\u81f3\u76ee\u524d\u70ba\u6b62\u8da8\u52e2\u79d1\u6280\u5df2\u767c\u73fe 14 \u500b\u91cd\u5927\u6f0f\u6d1e\" width=\"549\" height=\"331\" \/><\/p>\n<p><em>\u5716 1\uff1a2014 \u5e74\u767c\u73fe\u7684\u6f0f\u6d1e\u3002<\/em><\/p>\n<p>\u6211\u5011\u5728 2014 \u5e74\u767c\u73fe\u7684\u9019 14 \u500b\u91cd\u5927\u6f0f\u6d1e\u4ee5\u53ca\u53d7\u5f71\u97ff\u7684\u8edf\u9ad4 (\u7686\u5df2\u901a\u5831\u76f8\u95dc\u5ee0\u5546) \u5206\u5225\u70ba\uff1a<\/p>\n<ul>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0290\">CVE-2014-0290<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0417\">CVE-2014-0417<\/a> \u2013 Java<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0525\">CVE-2014-0525<\/a> \u2013 Adobe Acrobat\/Reader<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0536\">CVE-2014-0536<\/a> \u2013 Adobe Flash<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0559\">CVE-2014-0559<\/a> \u2013 Adobe Flash<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1753\">CVE-2014-1753<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1772\">CVE-2014-1772<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1782\">CVE-2014-1782<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1804\">CVE-2014-1804<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-2768\">CVE-2014-2768<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-4057\">CVE-2014-4057<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-4095\">CVE-2014-4095<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-4097\">CVE-2014-4097<\/a> \u2013 Internet Explorer<\/li>\n<li><a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-4105\">CVE-2014-4105<\/a> \u2013 Internet Explorer<\/li>\n<\/ul>\n<p>\u6211\u5011\u4e3b\u8981\u662f\u5206\u6790\u5f9e\u9396\u5b9a<a href=\"https:\/\/blog.trendmicro.com.tw\/?p=123\">APT\u653b\u64ca\/\u76ee\u6a19\u653b\u64ca<\/a>\u53d7\u5bb3\u8005\u6240\u8490\u96c6\u5230\u7684\u6a23\u672c\uff0c\u56e0\u70ba\u9019\u4e9b\u6a23\u672c\u66f4\u80fd\u53cd\u61c9\u5a01\u8105\u60c5\u52e2\u7684\u771f\u5be6\u72c0\u6cc1\u3002\u9019\u4e9b\u6a23\u672c\u4f86\u6e90\u5ee3\u6cdb\uff0c\u5305\u62ec\uff1a\u8a98\u88dc\u7db2\u8def\u3001\u7522\u54c1\u56de\u5831\u3001\u4f7f\u7528\u8005\u9001\u5be9\u7684\u6a94\u6848\u7b49\u7b49\u3002\u6211\u5011\u76f8\u4fe1\uff0c\u9019\u4e9b\u6a23\u672c\u6240\u4f7f\u7528\u7684\u90fd\u662f\u99ed\u5ba2\u6b63\u5728\u4f7f\u7528\u6216\u8005\u6700\u53ef\u80fd\u4f7f\u7528\u7684\u6f0f\u6d1e\u3002<\/p>\n<p><a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u900f\u904e\u591a\u7a2e\u65b9\u6cd5\u4f86\u767c\u6398\u6f5b\u5728\u7684\u6f0f\u6d1e\u548c\u6f0f\u6d1e\u653b\u64ca\uff0c\u5305\u62ec\uff1a\u7d93\u9a57\u6cd5\u5247\u6383\u7784\u3001\u6a5f\u5668\u81ea\u6211\u5b78\u7fd2\u4ee5\u53ca\u6c99\u76d2\u6a21\u64ec\u5206\u6790 (Sandboxing)\u3002\u6211\u5011\u7684\u81ea\u52d5\u5316\u6d41\u7a0b\u6bcf\u65e5\u53ef\u8655\u7406\u6578\u5341\u842c\u500b\u6a23\u672c\uff0c\u5176\u4e2d\u53ea\u6709\u6578\u5341\u500b\u6a23\u672c\u5fc5\u9808\u518d\u7d93\u904e\u624b\u52d5\u5206\u6790\u3002<\/p>\n<p>\u5982\u540c\u5176\u4ed6\u7814\u7a76\u4eba\u54e1\u4e00\u6a23\uff0c\u6211\u5011\u4e5f\u6703\u5229\u7528\u975c\u614b\u5206\u6790\u3001\u8f38\u5165\u8cc7\u6599\u932f\u8aa4\u6e2c\u8a66 (fuzzing)\u3001\u6ef2\u900f\u6e2c\u8a66\u7b49\u65b9\u6cd5\u4f86\u4e3b\u52d5\u767c\u6398\u6f0f\u6d1e\u3002\u6211\u5011\u6703\u5728\u9019\u4e9b\u6f0f\u6d1e\u906d\u99ed\u5ba2\u5229\u7528\u4e4b\u524d\u9810\u5148\u901a\u5831 Microsoft\u3001Adobe \u548c Oracle \u7b49\u5ee0\u5546\u3002<!--more--><\/p>\n<p>\u6211\u5011\u6b63\u662f\u85c9\u7531\u9019\u6a23\u7684\u6d41\u7a0b\u4f86\u767c\u73fe\u90a3\u4e9b\u5bb9\u6613\u906d\u5230\u653b\u64ca\u7684\u71b1\u9580\u8edf\u9ad4\u6f0f\u6d1e\u3002\u6211\u5011\u4e5f\u548c\u76f8\u95dc\u5ee0\u5546\u5bc6\u5207\u5408\u4f5c\uff0c\u5354\u52a9\u4ed6\u5011\u4fee\u88dc\u6211\u5011\u767c\u73fe\u7684\u6f0f\u6d1e\u3002\u6b63\u56e0\u9019\u4e9b\u52aa\u529b\uff0c\u8da8\u52e2\u79d1\u6280\u624d\u80fd\u5728 2014 \u5e74\u5beb\u4e0b\u8f1d\u714c\u7684\u8a18\u9304\uff0c\u767c\u73fe\u8a31\u591a\u77e5\u540d Windows \u61c9\u7528\u7a0b\u5f0f\u7684\u6f0f\u6d1e\u3002<\/p>\n<p><strong><em>\u5e38\u898b\u7684\u6f0f\u6d1e\u5a01\u8105<\/em><\/strong><\/p>\n<p>\u4e0d\u540c\u61c9\u7528\u7a0b\u5f0f\u5728\u4e0d\u540c\u6642\u671f\u6703\u6d41\u884c\u4e0d\u540c\u985e\u578b\u7684\u6f0f\u6d1e\u3002\u9019\u662f\u56e0\u70ba\u99ed\u5ba2\u6703\u9078\u64c7\u7576\u6642\u8f03\u80fd\u7a69\u5b9a\u7372\u5f97\u6210\u679c\u7684\u6f0f\u6d1e\u3002<\/p>\n<p>\u4f8b\u5982\uff0c<a href=\"https:\/\/www.trendmicro.com.tw\/edm\/Tracking.asp?id=2651&amp;name=20110916\">\u8da8\u52e2\u79d1\u6280<\/a>\u4eca\u5e74\u6240\u767c\u73fe\u7684 Internet Explorer \u6f0f\u6d1e\u5927\u591a\u662f\u300c\u4f7f\u7528\u5df2\u91cb\u653e\u7684\u8a18\u61b6\u9ad4\u300d(Use After Free\uff0c\u7c21\u7a31 UAF) \u6f0f\u6d1e\u3002Microsoft \u4eca\u5e74\u767c\u5e03\u4e86\u591a\u6b21\u5b89\u5168\u66f4\u65b0\u4f86\u89e3\u6c7a UAF \u6f0f\u6d1e\uff0c\u5305\u62ec <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0322\">CVE-2014-0322<\/a> \u548c <a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-1776\">CVE-2014-1776<\/a> \u96f6\u6642\u5dee\u6f0f\u6d1e\u3002<\/p>\n<p>\u50cf UAF \u9019\u6a23\u7684\u6f0f\u6d1e\u6216\u8a31\u4e0d\u5bb9\u6613\u6839\u9664\uff0c\u539f\u56e0\u5305\u62ec\uff1a<\/p>\n<ul>\n<li>\u7576\u958b\u767c\u4eba\u54e1\u4f7f\u7528 C\/C++ \u4f86\u64b0\u5beb\u7a0b\u5f0f\u6642\u8f03\u5bb9\u6613\u72af\u932f\u3002<\/li>\n<li>\u6587\u4ef6\u7269\u4ef6\u6a21\u578b (Document Object Model\uff0c\u7c21\u7a31 DOM) \u7b2c 1 \u5230\u7b2c 4 \u5c64\u662f\u7531\u8907\u96dc\u7684\u5143\u4ef6\u548c\u908f\u8f2f\u6240\u69cb\u6210\uff0c\u800c UAF \u6f0f\u6d1e\u901a\u5e38\u767c\u751f\u5728\u975e\u540c\u6b65\u7684\u8655\u7406\u7a0b\u5e8f (process) \u7576\u4e2d\u3002\u540c\u6a23\u7684\u554f\u984c\u4e5f\u6703\u51fa\u73fe\u5728 <em>Google Chrome<\/em> \u548c <em>Mozilla Firefox<\/em>\u3002<\/li>\n<li><em>Internet Explorer<\/em> \u7576\u4e2d\u542b\u6709\u4e00\u4e9b\u975e\u516c\u958b\u7684 (private) \u7684 DOM \u5143\u4ef6 (\u4f8b\u5982 VML)\uff0c\u4f7f\u5f97\u7a0b\u5f0f\u78bc\u66f4\u52a0\u8907\u96dc\uff0c\u554f\u984c\u4e5f\u66f4\u56b4\u91cd\u3002<\/li>\n<li>Microsoft \u63d0\u4f9b\u4e86\u5411\u4e0b\u76f8\u5bb9\u6027\uff0c\u7576\u65b0\u820a\u7a0b\u5f0f\u5f15\u64ce\u642d\u914d\u5728\u4e00\u8d77\u6642\uff0c\u5b89\u5168\u6027\u5c31\u6703\u5927\u6253\u6298\u6263 (\u56e0\u70ba\u820a\u7684\u4e26\u672a\u5305\u542b\u5b89\u5168\u6027\u66f4\u65b0)\u3002<\/li>\n<\/ul>\n<p>\u6240\u5e78\uff0cMicrosoft \u5c0e\u5165\u4e86\u5169\u7a2e\u89e3\u6c7a\u65b9\u6cd5\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/isolated-heap-for-internet-explorer-helps-mitigate-uaf-exploits\/\">\u9694\u96e2\u5f0f Heap \u8a18\u61b6\u9ad4<\/a>\u548c<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/mitigating-uaf-exploits-with-delay-free-for-internet-explorer\/\">\u5ef6\u5f8c\u91cb\u653e<\/a>\uff0c\u9019\u5169\u7a2e\u65b9\u6cd5\u53ef\u8b93\u6b79\u5f92\u8f03\u96e3\u5229\u7528 UAF \u6f0f\u6d1e\u3002<\/p>\n<p>\u4e0d\u904e\uff0c<em>Flash Player<\/em> \u537b\u5b58\u5728\u8457\u4e00\u500b\u8d85\u51fa\u5b58\u53d6\u7bc4\u570d\u7684\u554f\u984c\u3002\u5b83\u7684\u7a0b\u5f0f\u78bc\u7576\u4e2d\u7f3a\u4e4f\u9069\u7576\u7684\u7bc4\u570d\u6aa2\u67e5\uff0c\u5c24\u5176\u662f\u67d0\u4e9b\u8907\u96dc\u908f\u8f2f\u80cc\u5f8c\u7684\u76f8\u95dc\u7a0b\u5f0f\u78bc\u3002\u6211\u5011\u767c\u73fe\u5169\u500b\u8207\u6b64\u554f\u984c\u76f8\u95dc\u7684\u6f0f\u6d1e\u3002Flash \u5728\u56db\u6708\u51fa\u73fe\u7684\u96f6\u6642\u5dee\u6f0f\u6d1e\u653b\u64ca (<a href=\"https:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-0515\">CVE-2014-0515<\/a>) \u4e5f\u662f\u5229\u7528\u985e\u4f3c\u7684\u5f31\u9ede\u3002<\/p>\n<p><strong><em>\u91cd\u8907\u5229\u7528\u7684\u6f0f\u6d1e\u653b\u64ca<\/em><\/strong><\/p>\n<p>\u900f\u904e\u7a0b\u5f0f\u78bc\u7684\u91cd\u8907\u5229\u7528\uff0c\u99ed\u5ba2\u73fe\u5728\u80fd\u6bd4\u4ee5\u5f80\u66f4\u5feb\u958b\u767c\u51fa\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u3002\u4e00\u65e6\u6f0f\u6d1e\u653b\u64ca\u7a0b\u5f0f\u958b\u767c\u5230\u4e00\u500b\u7a69\u5b9a\u7684\u72c0\u614b\uff0c\u99ed\u5ba2\u5c31\u6703\u5efa\u7acb\u4e00\u500b\u7a0b\u5f0f\u7bc4\u672c\u3002\u800c\u8a72\u7bc4\u672c\u5c07\u5305\u542b\u6240\u6709\u5f9e\u9060\u7aef\u57f7\u884c\u7a0b\u5f0f\u78bc\u7684\u6b65\u9a5f\uff0c\u4ee5\u53ca\u907f\u958b\u8cc7\u6599\u57f7\u884c\u9632\u6b62 (DEP)\u3001\u4f4d\u5740\u7a7a\u9593\u914d\u7f6e\u96a8\u6a5f\u5316 (ASLR) \u7b49\u5b89\u5168\u6a5f\u5236\u7684\u65b9\u6cd5\u3002<\/p>\n<p>DEP \u53ef\u9632\u6b62\u96fb\u8166\u5f9e\u975e\u57f7\u884c\u78bc\u8a18\u61b6\u9ad4\u5340\u584a\u57f7\u884c\u7a0b\u5f0f (\u5305\u62ec\u60e1\u610f\u7a0b\u5f0f)\u3002ASLR \u5247\u662f\u53ef\u4ee5\u5c07\u8a18\u61b6\u9ad4\u5340\u584a\u7684\u6392\u5217\u65b9\u5f0f\u96a8\u6a5f\u5316\uff0c\u8b93\u6b79\u5f92\u66f4\u96e3\u731c\u6e2c\u78ba\u5207\u4f4d\u7f6e\u3002<\/p>\n<p>\u7531\u65bc\u7a0b\u5f0f\u78bc\u7684\u91cd\u8907\u5229\u7528\uff0c\u4e00\u65e6\u51fa\u73fe\u985e\u4f3c\u7684\u65b0\u6f0f\u6d1e\uff0c\u6b79\u5f92\u5c31\u80fd\u8fc5\u901f\u91dd\u5c0d\u65b0\u7684\u6f0f\u6d1e\u958b\u767c\u51fa\u65b0\u7684\u653b\u64ca\u7a0b\u5f0f\uff0c\u56e0\u70ba\u53ea\u8981\u4fee\u6539\u5c11\u91cf\u7684\u7a0b\u5f0f\u4f86\u78ba\u4fdd\u76f8\u95dc\u7cfb\u7d71\u767b\u9304\u5728\u6f0f\u6d1e\u653b\u64ca\u6642\u6eff\u8db3\u9810\u671f\u7684\u689d\u4ef6\u5373\u53ef\u3002<\/p>\n<p>\u4ee5\u4e0b\u6211\u5011\u7528 CVE-2014-0322 \u548c CVE-2014-1776 \u70ba\u7bc4\u4f8b\u4f86\u8aaa\u660e\uff0c\u9019\u5169\u500b\u6f0f\u6d1e\u90fd\u5c6c\u65bc UAF \u6f0f\u6d1e\uff0c\u91dd\u5c0d\u9019\u5169\u500b\u6f0f\u6d1e\u7684\u653b\u64ca\u7a0b\u5f0f\u7bc4\u672c\u57fa\u672c\u4e0a\u6709\u56db\u500b\u6b65\u9a5f\uff1a<\/p>\n<ol>\n<li>\u5229\u7528 <em>Flash ActionScript<\/em> \u5c07\u7a0b\u5f0f\u78bc\u585e\u5165 Heap \u8a18\u61b6\u9ad4\uff0c\u5982\u6b64\u4e00\u4f86\u5c31\u80fd\u900f\u904e\u8a72\u6f0f\u6d1e\u4ee5\u53ca\u5169\u500b\u5411\u91cf (vector) \u4f86\u5b58\u53d6\u7d55\u5927\u591a\u6578\u7684\u8a18\u61b6\u9ad4\u7a7a\u9593\u3002<\/li>\n<li>\u70ba\u4e86\u907f\u958b ASLR\uff0c\u641c\u5c0b <em>ZwProtectVirtualMemory<\/em> \u7684\u4f4d\u5740\uff0c\u7136\u5f8c\u7528\u8a72\u4f4d\u5740\u4f86\u5efa\u7acb\u4e00\u6bb5\u8fd4\u56de\u6307\u6a19\u7a0b\u5f0f\u78bc (return-oriented programming\uff0cROP)\uff0c\u9019\u6a23\u5c31\u80fd\u907f\u958b\u6f0f\u6d1e\u9632\u7bc4\u6a5f\u5236\u3002<\/li>\n<li>\u4fee\u6539 <em>media.Sound<\/em> \u7684 vtable \u6307\u5411 ROP \u7a0b\u5f0f\u78bc\uff0c\u5982\u6b64\u5c31\u80fd\u547c\u53eb\u5176\u865b\u64ec\u6db5\u5f0f (virtual function)\u3002\u63a5\u8457\uff0c\u5c07 shellcode \u7684\u6b0a\u9650\u6539\u6210 RWX\uff0c\u5982\u6b64\u5c31\u80fd\u907f\u958b DEP \u6a5f\u5236\u3002<\/li>\n<li>\u8fd4\u56de shellcode \u2013 \u6b64\u6642\u99ed\u5ba2\u5c31\u80fd\u57f7\u884c\u4efb\u610f\u7684\u7a0b\u5f0f\u78bc\u3002<\/li>\n<\/ol>\n<p><strong><em>\u6f0f\u6d1e\u653b\u64ca\u7684\u672a\u4f86\u767c\u5c55<\/em><\/strong><\/p>\n<p>\u524d\u9762\u63d0\u904e\uff0c\u4eca\u5e74\u99ed\u5ba2\u4e3b\u8981\u90fd\u9396\u5b9a\u5728\u767c\u6398 <em>Internet Explorer<\/em> \u548c <em>Flash Player<\/em> \u7684\u6f0f\u6d1e\u3002\u6211\u5011\u7684\u7814\u7a76\u767c\u73fe\u4e5f\u652f\u6301\u9019\u9805\u8aaa\u6cd5\uff0c\u4eca\u5e74\u4e0a\u534a\u5e74\u5c24\u5176\u4ee5 UAF \u6f0f\u6d1e\u70ba\u4e3b\u3002<\/p>\n<p>\u5c31\u5728 Microsoft \u63a8\u51fa\u5169\u9805\u89e3\u6c7a\u65b9\u6cd5\u4e0d\u4e45\uff0cUAF \u76f8\u95dc\u7684\u6f0f\u6d1e\u653b\u64ca\u5c31\u4e0d\u518d\u662f\u500b\u56b4\u91cd\u554f\u984c\u3002\u5373\u4f7f\u6211\u5011\u9084\u662f\u6703\u770b\u5230\u4e00\u4e9b UAF \u6f0f\u6d1e\uff0c\u4f46\u537b\u518d\u4e5f\u4e0d\u80fd\u5229\u7528\u820a\u7684\u65b9\u6cd5\u4f86\u767c\u52d5\u653b\u64ca\u3002\u5118\u7ba1\u76ee\u524d\u5df2\u6709\u89e3\u6c7a\u65b9\u6848\uff0c\u4f46\u6211\u5011\u9810\u6599\uff0c\u4e00\u65e6\u9019\u4e9b\u6a5f\u5236\u53c8\u518d\u5ea6\u88ab\u7834\u89e3\uff0c\u672a\u4f86 UAF \u6f0f\u6d1e\u653b\u64ca\u9084\u662f\u6709\u6a5f\u6703\u518d\u5ea6\u6d41\u884c\uff0c\u6216\u8a31\u6703\u96a8\u8457\u660e\u5e74\u65b0\u7248\u7684 Internet Explorer \u767c\u8868\u4e00\u8d77\u73fe\u8eab\u4e5f\u8aaa\u4e0d\u5b9a\u3002<\/p>\n<p>\u6211\u5011\u8a8d\u70ba\uff0c\u7121\u53ef\u907f\u514d\u5730\uff0c\u99ed\u5ba2\u6703\u4e0d\u65b7\u5229\u7528\u65b0\u7684\u65b9\u6cd5\u6216\u65b0\u7684\u6f0f\u6d1e\u3002\u6211\u5011\u4e5f\u770b\u5230\u6b79\u5f92\u6539\u7528 UAF \u4ee5\u5916\u7684\u5176\u4ed6\u985e\u578b\u6f0f\u6d1e\uff0c\u4f8b\u5982\u8d85\u51fa\u5b58\u53d6\u7bc4\u570d\u4ee5\u53ca\u8cc7\u6599\u985e\u578b\u6df7\u6dc6\u6240\u9020\u6210\u7684\u6f0f\u6d1e\u3002<\/p>\n<p>\u5728\u8eb2\u907f\u5b89\u5168\u6a5f\u5236\u65b9\u9762\u4e5f\u662f\u540c\u6a23\u7684\u60c5\u6cc1\u3002\u4eca\u65e5\uff0c\u99ed\u5ba2\u5df2\u6709\u8fa6\u6cd5\u907f\u958b DEP \u548c ASLR\uff0c\u800c\u4e14\u7814\u7a76\u986f\u793a\uff0c\u5c31\u9023\u8f03\u65b0\u7684\u4e00\u4e9b\u6a5f\u5236\u4e5f\u5df2\u88ab\u7834\u89e3\u3002\u4f8b\u5982\uff0c\u5728\u67d0\u4e9b\u7279\u6b8a\u7684\u689d\u4ef6\u4e0b\uff0c\u5373\u4f7f\u662f\u300c\u5ef6\u5f8c\u91cb\u653e\u300d\u7684\u7269\u4ef6\u8a18\u61b6\u9ad4\u7a7a\u9593\u4e5f\u53ef\u80fd\u7acb\u5373\u88ab\u91cb\u653e\u3002\u8981\u523b\u610f\u9054\u5230\u9019\u6a23\u7684\u689d\u4ef6\u53ea\u662f\u8b8a\u5f97\u8f03\u70ba\u56f0\u96e3\uff0c\u4e26\u975e\u5168\u7136\u4e0d\u53ef\u80fd\u3002<\/p>\n<p><strong><em>\u5efa\u7acb\u4e00\u500b\u8cc7\u8a0a\u5b89\u5168\u751f\u614b\u9ad4\u7cfb<\/em><\/strong><\/p>\n<p>\u8da8\u52e2\u79d1\u6280\u5c07\u6301\u7e8c\u6295\u5165\u6f0f\u6d1e\u8207\u6f0f\u6d1e\u653b\u64ca\u7684\u7814\u7a76\u3002\u4e0d\u904e\u6211\u5011\u5f88\u6e05\u695a\uff0c\u53ea\u5c07\u6211\u5011\u7684\u7814\u7a76\u6210\u679c\u904b\u7528\u5230\u6211\u5011\u81ea\u5df1\u7684\u7522\u54c1\u7576\u4e2d\u662f\u4e0d\u5920\u7684\u3002\u6211\u5011\u5fc5\u9808\u5efa\u7acb\u4e00\u500b\u751f\u614b\u9ad4\u7cfb\u4f86\u9632\u7bc4\u96f6\u6642\u5dee\u653b\u64ca\uff0c\u56e0\u70ba\u8d8a\u4f86\u8d8a\u591a\u7684\u9396\u5b9a\u76ee\u6a19\u653b\u64ca\u90fd\u5229\u7528\u9019\u7a2e\u6f0f\u6d1e\u3002\u6211\u5011\u4e0d\u61c9\u50c5\u6b62\u65bc\u6514\u622a\u9019\u985e\u5a01\u8105\uff0c\u4f7f\u7528\u8005\u548c\u5ee0\u5546\u90fd\u61c9\u5177\u5099\u76f8\u95dc\u7684\u77e5\u8b58\uff0c\u624d\u80fd\u8b93\u6bcf\u4e00\u500b\u4eba\u90fd\u514d\u65bc\u9019\u4e9b\u5a01\u8105\u3002<\/p>\n<p>\u5728\u9019\u500b\u76ee\u6a19\u9054\u6210\u4e4b\u524d\uff0c\u4e00\u822c\u4f7f\u7528\u8005\u8a72\u505a\u4e9b\u4ec0\u9ebc\u5462\uff1f\u4f7f\u7528\u8005\u61c9\u8a72\u78ba\u4fdd\u81ea\u5df1\u7684\u8edf\u9ad4\u96a8\u6642\u4fdd\u6301\u66f4\u65b0\uff0c\u76e1\u53ef\u80fd\u6e1b\u5c11\u6f0f\u6d1e\u7684\u5b58\u5728\uff0c\u4e5f\u78ba\u4fdd\u81ea\u5df1\u64c1\u6709\u6700\u65b0\u7684\u6f0f\u6d1e\u9632\u8b77\u3002\u6b63\u5982\u6211\u5011\u5148\u524d\u63d0\u5230\uff0c\u6211\u5011\u7814\u7a76\u5c07\u76f4\u63a5\u7528\u65bc\u70ba\u5ba2\u6236\u63d0\u4f9b\u66f4\u597d\u7684\u9632\u8b77\u3002<\/p>\n<p>\u5c24\u5176\uff0c\u4f01\u696d\u61c9\u770b\u770b\u6211\u5011\u7684 <a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/security-risk-management\/deep-discovery\/\">Deep Discovery<\/a>\u7522\u54c1\uff0c\u56e0\u70ba\u9019\u662f\u5c08\u70ba\u767c\u6398\u9396\u5b9a\u76ee\u6a19\u653b\u64ca\u800c\u8a2d\u8a08\u3002\u5176<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/heuristic-scanning-and-sandbox-protection-best-of-both-worlds\/\">\u7d93\u9a57\u5f0f\u6383\u7784\u8207\u6c99\u76d2\u6a21\u64ec\u5206\u6790 (sandboxing)<\/a> \u5728\u767c\u6398\u672a\u77e5\u5a01\u8105\u65b9\u9762\u975e\u5e38\u8fc5\u901f\u6709\u6548\uff0c\u6b64\u5916\uff0c<a href=\"https:\/\/www.trendmicro.tw\/tw\/enterprise\/security-risk-management\/deep-discovery\/\">Deep Discovery<\/a><\/p>\n<p>\u4e5f\u6703\u5229\u7528\u6211\u5011\u7814\u7a76\u6240\u767c\u73fe\u7684\u77e5\u8b58\u4f86\u63d0\u4f9b\u6700\u5b8c\u6574\u7684\u7d93\u9a57\u5f0f\u6f0f\u6d1e\u5075\u6e2c\u3002<\/p>\n<p>\u25ce\u539f\u6587\u51fa\u8655\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/trend-micro-uncovers-14-critical-vulnerabilities-in-2014-so-far\/\">https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/trend-micro-uncovers-14-critical-vulnerabilities-in-2014-so-far\/<\/a>\u4f5c\u8005\uff1a<a href=\"https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/author\/weiminwu\/\">Weimin Wu (\u5a01\u8105\u5206\u6790\u5e2b)<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u9396\u5b9aAPT\u653b\u64ca\/\u76ee\u6a19\u653b\u64ca\u7d93\u5e38\u5229\u7528\u6f0f\u6d1e\u4f86\u6697\u4e2d\u611f\u67d3\u96fb\u8166\u7cfb\u7d71\uff0c\u9019\u985e\u653b\u64ca\u4e0d\u4e00\u5b9a\u6703\u5229\u7528\u65b0\u767c\u73fe\u6216\u96f6\u6642\u5dee\u7684\u6f0f\u6d1e\uff0c\u4f8b\u5982 Int [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","_wpscppro_dont_share_socialmedia":false,"_wpscppro_custom_social_share_image":0,"_facebook_share_type":"","_twitter_share_type":"","_linkedin_share_type":"","_pinterest_share_type":"","_linkedin_share_type_page":"","_instagram_share_type":"","_medium_share_type":"","_threads_share_type":"","_google_business_share_type":"","_selected_social_profile":[],"_wpsp_enable_custom_social_template":false,"_wpsp_social_scheduling":{"enabled":false,"datetime":null,"platforms":[],"status":"template_only","dateOption":"today","timeOption":"now","customDays":"","customHours":"","customDate":"","customTime":"","schedulingType":"absolute"},"_wpsp_active_default_template":true},"categories":[10,1385,156],"tags":[498,2292,1786],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/10052"}],"collection":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10052"}],"version-history":[{"count":0,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/10052\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10052"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10052"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.trendmicro.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10052"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}