WikiLeaks promises to supply CIA's hacking tool code to vendors

Patch, patch .. attention snatch

WikiLeaks has promised to release software code of CIA hacking tools to tech firms.

The promise from chief Wikileaker Julian Assange – now ensconced in Ecuador's London embassy for four and a half years – came on Thursday during a internet-streamed press conference on Vault 7, its recent CIA cyber-weapons documents dump.

"We have decided to work with them [manufacturers] to give them some exclusive access to the additional technical details we have, so that fixes can be developed and pushed out," Assange said. "Once this material is effectively disarmed by us, by removing critical components, we will publish additional details."

National security experts argued that the info should come from the source itself, rather than through WikiLeaks.

"Disclosure of ‪#Vault7‬ 0days should come from USG, not Wikileaks," said former USAF officer turned cybersecurity expert Jason Healey. "WH should convene emergency VEP & CIA should disclose ASAP to vendors."

Computer science professor Matthew Green added: "Assange is personally going to see those Android 4.x phones get patched."

Others were more supportive. "Actually, among the crap, this is reasonable," said Rob Graham of Errata Security. Wikileaks should disclose the 0days to vendors to patch them." ®

Keep Reading

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

Updated Hackers can inject system commands via version 5 of software, no patch available

Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

The Chocolate Factory's bug hunters revise 90-day disclosure rules

Google Project Zero to GitHub: You've had 104 days to sort out injection vuln – now we're telling world-plus-dog

Code shack describes issue as 'moderate' security flaw, plans to disable risky commands gradually

Awoogah! Awoogah! Firefox fans urged to update and patch zero-day hole exploited in the wild by miscreants

Just make sure you're running the latest version

What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days

The other kind of DRM strikes: Bod baffled after attempt to raise alarm over vulnerabilities is ignored

Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel

Updated Flawed code traced to home build system, vulnerability can be attacked in certain configs

Steam cleaned of zero-day security holes after Valve turned off by bug bounty snub outrage

Security bod may be invited back into vuln reward program, Half-Life 3 still ain't happening

Infosec bod: I've found zero-day flaws in Tor's bridge relay defenses. Tor Project: Only the zero part is right

Warnings either not new or need more study, reckons open-source dev team

Biting the hand that feeds IT © 1998–2020