-
-
[分享]关于4月周二补丁日,你需要知道的几件事
-
发表于: 2018-4-11 16:53 3375
-
前言:
下文是中英双语对照版本,中文部分由我翻译,并对原文做了一定的删减。如有错误,欢迎大家指出。
特点:
1、中英双语
2、关键词注解
3、打算以后再放一些长难句注解
关于写这个帖子的原因
1、常常需要阅读一些英文技术文章,但是发现阅读起来有些障碍。一是词汇,计算机领域的多是专业词汇,往往生活中用的一个意思,到技术文章里就变成另一个意思,不知道的话就很容易造成误解,或者读不通。二是句子长,长句嵌套的从句比较多,前后所属关系等搞不清,也容易理解错误。
2、现在比较广泛的学习英语的资料都是日常对话口语或考试如雅思托福等,关于计算机网络安全领域的,目前还没发现。这几个领域的英语和计算机用语略有差距。
3、本人专业英语,不想浪费了学了好多年的英语。所以想在读英文文章的时候,做个记录。
4、技术文章较长,且内容专业,略枯燥....所以选一些相关行业内的资讯文章,既短小精悍,还能了解相关术语的地道表达。 希望大家能在了解资讯的时候,学习一些英语。
综上几点,就打算先发几篇这样的文章~希望大家多多支持~也希望大家多多提意见和建议,告诉我这个对你是否有用~
Microsoft’s April Patch Tuesday release includes fixes for 66 bugs, 24 of which are rated critical.
4月的周二补丁日, 微软公布了66个漏洞的补丁,其中24个漏洞被评为严重(critical)漏洞。
1、SharePoint的提权升级漏洞
Notable is Microsoft’s disclosure of a publicly known SharePoint elevation of privilege bug (CVE-2018-1034), rated important, which has no fix but has not been publicly exploited.
值得注意的是,微软此次披露的关于SharePoint的提权升级漏洞(CVE-2018-1034),被评级为重要(important),但是这个并未被修复,也未被利用。
privilege [ˈprɪvəlɪdʒ] n. 权限
eg. :
And privilege control can also be accessed initiatively or passively.
对用户的权限控制,也采用两种不同的方式:主动访问或被动访问。
exploited [ɛksplɔɪt; ɪkˈsplɔɪt] v. 利用
eg
The essence of software vulnerability is to exploit and affect system security.
软件脆弱性的本质是利用该脆弱性可以影响系统的安全。
Microsoft SharePoint Enterprise Server 2016 is the only version impacted by the vulnerability, according to Microsoft. “An elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,” Microsoft said.
据微软所称,SharePoint Server 2016 是唯一收到这个漏洞影响的版本,并称:“只有在Microsoft SharePoint Server 没有适当的清除发送给受影响服务器的网页请求时,提权漏洞才能被利用。已验证的黑客可以通过发送一个精心制作的请求来影响SharePoint server。”
vulnerability [,vʌlnərə'bɪləti] n. 脆弱性、安全隐患,在这里译为了漏洞
sanitize ['sænɪtaɪz] v. 1. 使…无害;给…消毒;对…采取卫生措施;2.清除
eg.
to sanitize a picture magazine
净化画刊中不健康的内容
authenticated [ɔ'θɛntɪ,ket] n. 已验证,已认证
eg.
Obviously, for this model to work each user must be authenticated.
显然,要使这个模型生效,每个用户都必须经过认证。
Security experts say one of the most important patches rolled out Tuesday was actually identified in March (CVE-2018-1038). If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines.
一些安全专家称 周二不定日发布的最重要补丁之一,其实是在三月份发现的CVE-2018-1038。该漏洞允许已验证的黑客安装程序,读取存储数据或利用全部的权限,在windows7 和Server 2008 R2 机器上创建新账户。
access ['æksɛs] v. 这个单词很常用,意思也比较多,翻译比较灵活。在这里是读取的意思。
记忆的话,可以记住它后面跟的相应的词汇,方便理解意思。
如这里是 access data, 即 读取数据
除此之外还有以下几个常见意思。
1.接入
ADSL technology is an rising method to access Internet now.
ADSL技术是当今正在兴起的一种网络接入方式。
2.准入
PEPs are normally implemented on network devices, such as routers, switches, network accessservers (NAS) and VoIP gateways.
当策略实施条件满足时,由策略执行点执行策略。 通常PEP在传输层上执行策略,PEP通常驻留在网络设备上,如路由器、交换机、准入服务器和VoIP网关。
3.存取
4.进接
5.读取
6.进出
“While this vulnerability was identified between March and April Patch Tuesday’s, CVE-2018-1038 should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability,” Goettl said in his commentary on Patch Tuesday.
虽然这个漏洞是在3、4月份的周二补丁日之间发现的,但对正在使用x64 Windows7 系统或 x64 系统的Windows Server 2008 R2 的用户而言,解决这个漏洞是重中之重。凡是在2018年一月期间或之后安装任何服务更新的用户,请务必立刻安装4100480,免受提权升级漏洞的影响。Goettl 在周二补丁日的注释中说道。
top priority 当务之急,最优先级
2、无线键盘 850 的一个绕过漏洞
Also of note is a patch for a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability (CVE-2018-8117).
另一个需要注意的是针对微软 无线键盘 850 的一个绕过漏洞,所打的补丁。
“Patches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at,” the Zero Day Initiative’s (ZDI) Dustin Childs said in an analysis of the vulnerability. “This vulnerability could affect you in two ways. First, an attacker could read your keystrokes – effectively turning your keyboard into a keystroke logger. Everything you type – passwords, account details, emails – could be viewed.”
“针对硬件的补丁很少见,针对键盘的补丁更少,所以看到这个漏洞细节的时候还挺吃惊。然而,这个漏洞的严重程度不容小觑。”ZDI 的Dustin Childs 在关于这个漏洞的一篇研究报告中这样写道:“这个漏洞有两个方面的影响。首先,攻击者可以读取用户的键盘输入,从而将用户的键盘成功转换为一个击键记录器。用户所输入的所有内容,包括密码、账户细节和邮箱等,都会被偷窥。”
Wireless Keyboard 无线键盘
keystroke logger 击键记录器
Alternatively, an attacker could also inject keystrokes to an affected system by reusing the keyboard’s AES encryption key.
另一方面,攻击者还可以通过 重新利用键盘的AES加密秘钥像受影响的系统注入按键。
inject 注入
3、 VBScript Engine 远程代码执行漏洞
Childs also warns that a critical Windows VBScript Engine Remote Code Execution Vulnerability (CVE-2018-1004) also presents a heightened security risk. “This critical-rated bug for the VBScript engine acts somewhat like a browser bug, but it’s actually more impactful,” he said. To exploit the vulnerability an attacker hosts a malicious website and tricks a victim to browse the site.
一个严重的windows VBScript Engine 远程代码执行漏洞(CVE-22018-1004)也带来了很大的安全风险。“VBScript engine 的这个严重漏洞,表现的更像是一个浏览器漏洞,但是它的影响更严重。”他这样说道。要利用这个漏洞,攻击者需要 有一个恶意网站,并引诱受害者去浏览该网站。
remote code Execution 远程代码执行
“An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to Microsoft.
“成功利用此漏洞的攻击者可以获取与受害用户同样的用户权限。如果受害用户登录的是管理员账号,那么攻击者就可以成功通过这个漏洞控制该系统,然后安装程序,查看、修改或删除数据;利用所有用户权限来创建新的账号。” 微软如是说。
4、远程代码执行漏洞
Microsoft also alerted users to five Graphics Remote Code Execution Vulnerabilities (CVE-2018-1010, -1012, -1013, -1015, -1016) tied to the Windows Font Library. “Each of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts – web browsing, documents, attachments – it’s a broad attack surface and attractive to attackers,” ZDI noted.
微软还警醒用户注意windows 字体库联系紧密的 5个 Graphics (图表)远程代码执行漏洞(CVE-2018-1010, -1012, -1013, -1015, -1016)。“这5个漏洞的补丁都包含有嵌入在字体中的漏洞,允许已登录用户执行代码。因为这里有很多种方法来查看字体——网页、浏览器、文档、附件——所以攻击面很大,很受攻击者欢迎。”
Microsoft Malware Protection Engine was fixed last week in an out-of-band security update.
Microsoft 的恶意软件防护引擎,已于上周的一次带外的安全更新中修复。
Earlier on Tuesday, Adobe fixed four critical vulnerabilities in its Flash Player and InDesign products. Patches for Adobe Flash Player for Microsoft Edge and IE 11 were part of that update. Adobe said Edge and IE users will each be automatically updated to the latest versions.
周二的早些时候,Adobe修复了Flash Player和 Indesign 产品中的四个关键漏洞。Microsoft Edge and IE 11 的补丁也是这次更新的一部分。Adobe称 Edge和IE的用户都会自动升级到最新版本。
补充:
1、周二补丁日
Patch Tuesday (also known as Update Tuesday)本文译为周二补丁日,is an unofficial term used to refer to when Microsoft regularly releases security patches for its software products. It is widely referred to in this way by the industry.Microsoft formalized Patch Tuesday in October 2003.
——维基百科
周二补丁日,本来并不是官方用语。通常微软会在这一天为他的产品发布补丁。2003年后,微软就正式采用了这个名称。
2、漏洞等级的英文表达
severity | 严重程度 |
low | 低危 |
medium/moderate | 中危 |
important | 重要 |
high | 高危 |
critical | 严重 |
英文来源: Patch Tuesday
本文由看雪翻译小组 哆啦咪 编译
最新鲜安全资讯 + 地道英语表达
Learn & Move On
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
- [话题] 9月10日 教师节到了,说说你记忆深刻的老师 4518
- [原创] 我和程序猿男朋友的爱恨情仇【结帖】 8664
- [推荐]看雪杯AFSRC造洞节,最棒的福利送给看雪的你! 6460
- [注意]某白帽未授权渗透测试政府网站被抓 8526
- [分享] 本周 安全类会议 大汇总 4687