WikiLeaks says it will work with software vendors to fix CIA zero-day exploits… but when?

After the media hystericane, Julian Assange says he will help bugs get fixed.

Julian Assange graffiti

Julian Assange’s WikiLeaks didn’t earn itself much love from the infosec community when it (incorrectly) claimed in its Vault 7 press release that encrypted chat apps like Signal and WhatsApp had been cracked by the CIA (they haven’t), and some in the media made the mistake of getting very excited with the concept that your Samsung TV might have been remotely hacked to spy on your conversations (it hasn’t).

The reality is that the vast majority of us should be worrying much more about being phished by the next email we receive than by WikiLeaks’s revelations of alleged zero-day vulnerabilities held only by the CIA.

Nonetheless, if there are unpatched vulnerabilities in Android, iOS, Windows etc that law enforcement agencies are aware of (and potentially using) but have not informed the software manufacturer about then that’s a big problem.

Sign up to our free newsletter.
Security news, advice, and tips.

Because if an intelligence agency has worked out a way of hacking a smartphone remotely, for instance, then there’s a chance that others have worked it out too. Including criminal gangs or rogue nation states.

The best course of action for millions of innocent technology users around the world is for vulnerabilities to be responsibly reported and patched quickly by vendors.

Put simply: If, say, the CIA doesn’t share details with a technology firm about the exploitable flaws it has discovered there is a chance that the very people the CIA is trying to protect could themselves be hacked.

So, I was pleased to hear Assange say at an online press conference that WikiLeaks had decided to share details of the vulnerabilities with the relevant vendors so fixes could be rolled out:

“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured. And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”

WikiLeaks Press Conference Thurday 9 March 2017 On CIA/Vault7/YearZero

What a shame that Assange did not co-ordinate with vendors *before* releasing the “Vault 7” data dump. What a positive story that could have been.

As Forbes reports, WikiLeaks doesn’t yet seem to have shared any details with Google and Microsoft at least.

Let’s hope that this information-sharing is happening as we speak, so any remaining vulnerabilities are not left unpatched for any day longer than necessary. Any delay in sharing the details would reflect very poorly on Assange and his WikiLeaks organisation.

You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in this episode of the “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).

Smashing Security #011: 'WikiLeaks and the CIA'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.