Hailing frequencies open! WikiLeaks pings Microsoft after promise to share CIA tools

Windows giant approached, Google, Apple next, we hope

15 Reg comments Got Tips?

Last week, WikiLeaks chief Julian Assange said he would hand over the CIA hacking tools that fell into his lap to various technology companies before making the exploits public. We're told he has at least reached out to one tech corp.

The so-called Vault 7 archive, dumped online by WikiLeaks on March 7, listed techniques used by the CIA to spy on computers, phones, networking gear, smart TVs, and IoT devices. The documents didn't contain any significant malicious code – although there was this one dodgy JQSNICKER .reg file. It was essentially all descriptions of how the top-secret hacking toolkits could work.

After the Vault 7 release, the UK Ecuadorian Embassy's record-breaking house guest promised the attack tools would be released. But before that could happen, the vulnerabilities that the tools exploit would have to be patched, and the silver fox said his organization would be working with corporate security teams.

According to sources close to the matter, WikiLeaks has opened a line of communication with Microsoft since the Vault 7 release. No actual files or other data has been sent in as yet, but talks are continuing.

"WikiLeaks has made initial contact with us via secure@microsoft.com," a Microsoft spokesperson told The Register on Monday.

Apple and Google haven't replied to requests for comment on the matter yet, but it does appear that WikiLeaks will be playing by the rules of responsible disclosure on this one. Which is very good news for the rest of us.

As we've seen with previous attack tools and exploits releases, dumping working malicious code on an unsuspecting world is a field day for computer criminals and a massive headache for vendors. A recent RAND Corporation report suggested the average time to weaponize a new exploit was 22 days, but if the rewards are large enough you can bet the crims would pull out all the stops and go much faster.

Last year, Cisco engineers were forced to scramble when the leak of hacking tools from the Equation Group, thought to be an NSA hacking team, went up online. The toolkit exploited two serious vulnerabilities in Cisco's kit, and Juniper and Fortinet also had to get patching.

In 2015 the Italian surveillanceware maker Hacking Team had its servers ransacked, and again the race was on. Vulnerabilities in Microsoft's software were exposed, and at the Black Hat conference the following month, several Redmond staff expressed their frustration at the way the release had been handled.

Of course, even if WikiLeaks does release its code to manufacturers with enough time to get all operating systems and applications patched up, there are still going to be problems. Not everyone patches regularly enough, and there will be plenty of low-hanging fruit for malware users to harvest. ®


Keep Reading

This vBulletin vBug is vBad: Zero-day exploit lets miscreants hijack vulnerable web forums

Updated Hackers can inject system commands via version 5 of software, no patch available

Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea

The Chocolate Factory's bug hunters revise 90-day disclosure rules

Awoogah! Awoogah! Firefox fans urged to update and patch zero-day hole exploited in the wild by miscreants

Just make sure you're running the latest version

What did it take for stubborn IBM to fix flaws in its Data Risk Manager security software? Someone dropping zero-days

The other kind of DRM strikes: Bod baffled after attempt to raise alarm over vulnerabilities is ignored

Dear Planet Earth: Patch Webmin now – zero-day exploit emerges for potential hijack hole in server control panel

Updated Flawed code traced to home build system, vulnerability can be attacked in certain configs

Infosec bod: I've found zero-day flaws in Tor's bridge relay defenses. Tor Project: Only the zero part is right

Warnings either not new or need more study, reckons open-source dev team

Steam cleaned of zero-day security holes after Valve turned off by bug bounty snub outrage

Security bod may be invited back into vuln reward program, Half-Life 3 still ain't happening

Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit

The internet's screen door gets kicked open once again

Biting the hand that feeds IT © 1998–2020