蘋果發佈最新防監控系統補丁(1)

One of the world’s most evasive digital arms dealers is believed to have been taking advantage of three security vulnerabilities in popular Apple products in its efforts to spy on dissidents and journalists.

據信，一家屬於全球滲透性最強之列的數字武器交易商，一直在利用熱銷的蘋果(Apple)產品中的三個安全漏洞，來監視異見人士和新聞工作者。

Investigators discovered that a company called the NSO Group, an Israeli outfit that sells software that invisibly tracks a target’s mobile phone, was responsible for the intrusions.

調查人員發現，這個名爲NSO集團(NSO Group)的以色列公司對多起入侵事件負有責任。

The NSO Group’s software can read text messages and emails and track calls and contacts. It can even record sounds, collect passwords and trace the whereabouts of the phone user.

該公司銷售的軟件能夠在無形中追蹤目標的移動電話、讀取短信和電子郵件、追蹤通話和聯繫人信息，甚至還能記錄聲音、收集密碼並追蹤手機用戶的下落。

In response, Apple on Thursday released a patched version of its mobile software, iOS 9.3.5. Users can get the patch through a normal software update.

作爲迴應，蘋果週四發佈了經過修復的移動軟件版本iOS 9.3.5。用戶可通過正常的軟件升級獲取補丁。

Apple fixed the holes 10 days after a tip from two researchers, Bill Marczak and John Scott Railton, at Citizen Lab at the University of Toronto’s Munk School of Global Affairs, and Lookout, a San Francisco mobile security company.

在收到來自多倫多大學(University of Toronto)蒙克全球事務學院(Munk School of Global Affairs)“公民實驗室”(Citizen Lab)的研究人員比爾•馬爾切克(Bill Marczak)和約翰•斯科特•雷爾頓(John Scott Railton)，以及舊金山移動安全公司Lookout的提醒十天後，蘋果修復了相關漏洞。

“We advise all of our customers to always download the latest version of iOS to protect themselves against potential security exploits,” said Fred Sainz, a company spokesman.

“我們建議全體顧客堅持下載最新版本的iOS，以保護自己遠離潛在的安全漏洞，”蘋果公司的發言人弗雷德•賽恩斯(Fred Sainz)說。

In interviews and manuals, the NSO Group’s executives have long boasted that their spyware worked like a “ghost,” tracking the moves and keystrokes of its targets, without leaving a trace. But until this month, it was not clear how exactly the group was monitoring its targets, or who exactly it was monitoring.

在採訪和產品使用手冊中，NSO集團的高管長期誇耀道，他們的間諜軟件工作時就像“幽靈”一樣，在追蹤目標的動作和按鍵時，不會留下一絲痕跡。但在本月之前，外界並不知道該集團究竟是如何監視目標的，也不知道它到底在監視誰。

A clearer picture began to emerge on Aug. 10, when Ahmed Mansoor, a prominent human rights activist in the United Arab Emirates, who has been tracked by surveillance software several times, began receiving suspicious text messages. The messages purported to contain information about the torture of U.A.E. citizens.

8月10日，當多次被監視軟件跟蹤的阿拉伯聯合酋長國著名人權活動人士艾哈邁德•曼蘇爾(Ahmed Mansoor)開始收到可疑短信時，更清晰的畫面開始浮現。那些短信宣稱包含有關阿聯酋公民被刑訊逼供的信息。

Mr. Mansoor passed the messages to researchers at the Citizen Lab, who confirmed they were an attempt to track him through his iPhone.

曼蘇爾把短信轉給了“公民實驗室”的研究人員。後者證實，有人企圖通過他的手機跟蹤他。

This latest effort was far more sophisticated than what was found aimed at his devices before. The researchers found it was connecting to 200 servers, several of them registered to the NSO Group. Strewn throughout the spyware code were references to Pegasus, the name of an NSO Group spyware product.

最新這次行動，遠比以前發現的針對曼蘇爾的設備所採取的行動更復雜。研究人員發現，它和200臺服務器相連，其中幾臺登記在NSO集團的名下。間諜軟件代碼中多次提到Pegasus，這是NSO集團一款監視軟件產品的名字。

Citizen Lab brought in Lookout to help examine the code. Together, they discovered that the spyware relied on three previously unknown iOS vulnerabilities — called “zero days” because Apple didn’t know about them and had zero days to patch them.

“公民實驗室”請Lookout來協助研究這些代碼。他們在合作中發現，這款間諜軟件依賴之前不爲人知的三個iOS安全漏洞。它們被叫做“零日”(zero days)，因爲蘋果不知道它們，沒花哪怕一天時間去修復它們。