On Thursday, Wikileaks founder Julian Assange said that his organization will share information with tech companies about product vulnerabilities from the "Vault 7" CIA data published on Tuesday.
"After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them some exclusive access to the additional technical details that we have so that fixes can be developed and pushed out, so that people can be secure," Assange said in a live-streamed press conference from the Ecuadorian Embassy in London, where Assange has resided since 2012. He also emphasized that Tuesday's data trove comprises only a portion of the total leaked information the organization holds, and that more will come.
That leaked CIA cache, which currently includes almost 9,000 documents, contains information about CIA offensive hacking operations including details about malware, viruses, trojans, and undisclosed zero-day vulnerabilities that the agency allegedly uses for digital intelligence-gathering. Targeted devices include not just computers and smartphones, but also internet-connected TVs and network servers. "This is a historic act of devastating incompetence to have created such an arsenal and stored it all in one place and not secure it," Assange said.
Crucially, WikiLeaks also says it has access to---but withheld and redacted---source code, which would show specifically how these attacks work, enabling opportunistic bad actors to apply them as well. It's that code that Wikileaks says it will share with tech companies, so that they can see specifically where the holes are and more efficiently patch them.
"The fact that WikiLeaks is committing to responsibly disclose any exploits before they publish them is an relief to me," says Nathan White, senior legislative manager at the open internet nonprofit Access Now. "I think it’s a significant change for WikiLeaks, which has been criticized in the past for publishing first and worrying about what’s in it later."
Meanwhile, some companies have already noted that they had patched certain vulnerabilities listed in the dump in the immediate wake of the Vault 7 release. Apple said that it had already discovered and patched "many" of the 14 iOS bugs described in the documents, and that it is working to "rapidly address" the rest. A Microsoft spokesperson told CNBC on Wednesday that, "We are aware of the report and we are looking into it." The Linux Foundation said that as an open source project, it has the vetting and agility to add software updates quickly and assist other open source software.
Assange did not explain why Wikileaks didn't disclose these vulnerabilities to software vendors prior to or concurrent with making even the neutered versions publicly available on Tuesday. It also remains to be seen if and when WikiLeaks will follow through on this morning's promise.
"We've seen Julian Assange's statement and have not yet been contacted," a Microsoft spokesperson told WIRED. "Our preferred method for anyone with knowledge of security issues, including the CIA or Wikileaks, is to submit details to us at secure@microsoft.com so we can review information and take any necessary steps to protect customers.” Other tech companies WIRED contacted did not immediately respond.
"I will believe that when I hear independent confirmation," Jake Williams, founder of the threat intelligence firm Rendition Infosec, said of Assange's promise. "This sounds like pure hype to me."
It's also possible that tech companies already have access to the information in question. The CIA has reportedly been aware of the leak for a few months, and White raises the possibility that the agency had already begun notifying tech companies about vulnerabilities described in the stolen data.
There's also the question of how much time companies will have to patch those holes. Assange indicated that he plans to drop more documents; if that includes source code, the gap between initial disclosure and public consumption will be critical. Once it's public, anyone will be able to deploy them.
"Even a short time frame is better than no time frame," says White. "Any disclosure in advance is still useful."
It's important to note, too, that patching these vulnerabilities won't act as a panacea. To receive protection, consumers will need to download the software updates companies release, a process which can be challenging on Internet of Things devices like smart TVs and, crucially, the large population of Android devices running legacy versions of the operating system, or versions that are altered and don't receive updates directly from Google.
And while WikiLeaks sharing information with companies will be an important first step, security experts are taking a wait and see approach.
"Is [Assange] also giving it to security firms so they can do forensic analysis?" says Dave Aitel, a former NSA analyst who now runs the security firm Immunity. "Having a hacker lecture us about vulnerabilities and disclosure is the height of rich hypocrisy."
If WikiLeaks does what Assange says it will, though, and in a responsible way, it would be a welcome moment of restraint for an organization that has historically shown little interest in it.
This story has been updated to include a comment from Microsoft.
