Last week, WikiLeaks chief Julian Assange said he would hand over the CIA hacking tools that fell into his lap to various technology companies before making the exploits public. We're told he has at least reached out to one tech corp.
The so-called Vault 7 archive, dumped online by WikiLeaks on March 7, listed techniques used by the CIA to spy on computers, phones, networking gear, smart TVs, and IoT devices. The documents didn't contain any significant malicious code – although there was this one dodgy JQSNICKER .reg file. It was essentially all descriptions of how the top-secret hacking toolkits could work.
After the Vault 7 release, the UK Ecuadorian Embassy's record-breaking house guest promised the attack tools would be released. But before that could happen, the vulnerabilities that the tools exploit would have to be patched, and the silver fox said his organization would be working with corporate security teams.
According to sources close to the matter, WikiLeaks has opened a line of communication with Microsoft since the Vault 7 release. No actual files or other data has been sent in as yet, but talks are continuing.
"WikiLeaks has made initial contact with us via firstname.lastname@example.org," a Microsoft spokesperson told The Register on Monday.
Apple and Google haven't replied to requests for comment on the matter yet, but it does appear that WikiLeaks will be playing by the rules of responsible disclosure on this one. Which is very good news for the rest of us.
As we've seen with previous attack tools and exploits releases, dumping working malicious code on an unsuspecting world is a field day for computer criminals and a massive headache for vendors. A recent RAND Corporation report suggested the average time to weaponize a new exploit was 22 days, but if the rewards are large enough you can bet the crims would pull out all the stops and go much faster.
Last year, Cisco engineers were forced to scramble when the leak of hacking tools from the Equation Group, thought to be an NSA hacking team, went up online. The toolkit exploited two serious vulnerabilities in Cisco's kit, and Juniper and Fortinet also had to get patching.
In 2015 the Italian surveillanceware maker Hacking Team had its servers ransacked, and again the race was on. Vulnerabilities in Microsoft's software were exposed, and at the Black Hat conference the following month, several Redmond staff expressed their frustration at the way the release had been handled.
Of course, even if WikiLeaks does release its code to manufacturers with enough time to get all operating systems and applications patched up, there are still going to be problems. Not everyone patches regularly enough, and there will be plenty of low-hanging fruit for malware users to harvest. ®