Kingsoft

“Forbes” website article published today, said security researchers from Shanghai, China Wu Shi has entered the world’s leading discoverers of the ranks of browser vulnerabilities. Perhaps his research will let Apple get a lot.
The following is the full text:

If the “tough love” to solve the world’s best recipe software failure, then the stone may also be known as the Wu area of information security one of the many unsung heroes.

Since 2007, the 35-year-old Shanghai researchers have discovered and reported on IE, Safari and Chrome and other browsers that exist in more than 100 serious flaws. If the user browse an infected Web page, the hacker can take advantage of these loopholes rob the user computer information. Last year alone, more than 50 of which he would sell the Zero Day Initiative vulnerabilities and other flaws iDefense purchase organization, the two organizations are attributed to Hewlett-Packard and VeriSign, who specialized research staff from there to spend money to buy vulnerability Xin Xi and use the data security products, followed by him before the affected software vendor.

These data show that the Wu Shi provided in only one year to the ero Day Initiative, and Vulnerability iDefense researchers than any one of the world has more loopholes than half of them are from Apple’s Safari browser. For example, in the last month, a security update, Apple released for the iPhone operating system, 64 new patches, of which only six holes that Apple own researchers found that 12 staff from the Google study found that another 15 are discovered by Miss Stone.

In this regard, security expert Charles – Miller (Charlie Miller), said: “Maybe Apple should hire Miss Stone to help them, because he found the security loophole in Apple’s team found more than twice as much.”

Unique fuzzing algorithms:

Wu Shi through instant messaging and e-mail explaining how he is called “fuzzing” way to get these vulnerabilities. Using this method, the software required to enter a large number of modified files in order to find which files will cause software crashes, and then the collapse of these cases analyzed in order to find out how hackers inject code and control the browser.

Wu Shi algorithm used to generate a unique file to be tested and then placed his own Apache Tomcat server, so that the frequency of its faster to get to the researchers tested more than ordinary samples. Miss Stone said its methods and change the file in a single variable different ways to change his entire sample, and can change the course of as many circumstances, the browser will still be able to recognize the files as HTML documents. Miss Stone said: “My concern is fuzzing framework for software architecture, not the details.”

According to ZDI research manager Allen – Potonie (Aaron Portnoy) on the Wu Shi vulnerability study found that Miss Stone will not be found on his in-depth analysis of vulnerability. But he believes that this Chinese researchers used the method to other methods can capture not find loopholes. “These files related to the project’s hierarchy has complicated, but he can change the relation tree structure Fuza working Fang Shi, and not just one of a project.” Potonie Shui “Many people Zhishi fuzz data, and Ta data is the relationship between fuzz. ”

Professional frustration switch:

Miss Stone said it is working through a series of failures experienced after the discovery of vulnerabilities to achieve a breakthrough. When China’s stock market started to surge in 2006 when Miss Stone was still a small IT company where he felt at the time of their career is like a sinking ship, and therefore the extreme despair. Salary was even difficult to make ends meet to support their families Wu Shi.

Wu Shi later resigned from that house IT companies, and created a company based on P2P file-sharing technology. But when a large customer refused to pay compensation for a major project, the Wu Shi also left looking for a partner away, so the company going bankrupt. After that, Wu Shi began to build a security consulting firm, and test him once many years ago when he was studying at Fudan University’s vision of a fuzzing method. He found that some of Microsoft security vulnerabilities and report directly to Microsoft. After that, he only mouth from a friend so that the ZDI “Buy loopholes” in the organization. Since then, Miss Stone became a full-time vulnerability hunters.

This experience has been quite find loopholes harvest. ZDI bought from Miss Stone, 50 holes, each price of at least 5000 U.S. dollars, and iDefense have occasionally been more than 10 thousand U.S. dollars to pay to buy a small amount of vulnerability. Miss Stone did not say in this regard so far specific receipts, but a simple calculation can know that the benefits in this regard should be more than 250 thousand U.S. dollars, which in China can be a not small number. ZDI Wu Shi also awarded the “Platinum (platinum status)” Award, the award winners can get 20,000 U.S. dollars prize money, and free to participate in Las Vegas at the “black hat” (Black Hat) security General Assembly.

Apple’s poor safety awareness:

A Chinese researcher can master hundreds of major flaws, this news is indeed a number of companies concerned. However, Miss Stone said he will only sell to those vulnerabilities, “do no evil” company, and will report directly to the vulnerability to the affected software company. He said that there were black market buyers willing to pay 10 times more money than the ZDI price to buy a number of IE vulnerabilities discovered, Miss Stone had said that it will not take any risks involved in the crime debate.

Even so, Wu Shi found so many loopholes, it may cause trouble, especially on Apple software, even more so. Miss Stone said that he had been concerned about Apple software vulnerabilities, because Apple itself has been less attention to this problem (Apple currently does not comment on the matter).

Over the past decade, Microsoft has been working with the fight against network attacks, to keep their software secure. Wu Shi list, in 2001, “Code Red” worm has infected hundreds of thousands of computers, and a violation of a number of websites, some are black site also played “Chinese hacker attack” in the word language, but over the years, Apple for once ignore the smug hackers and security from that nothing.

However, Wu Shi view, Apple’s ease of this temporary situation will not continue. With the increasing number of attacks on Apple software may no longer be because of relatively small market share from security problems. Miss Stone said: “iPhone and the Mac operating system, Windows 7 is more than vulnerable. In my view, Apple’s software will face more attacks.”