WikiLeaks to Help Tech Firms Patch Vulnerabilities

Written by Aldrin Brown
March 17, 2017

Editor Julian Assange said the organization would cooperate with vendors like Microsoft, Apple and others to fix security flaws exposed by last week’s release of a C.I.A. cyberweapons toolkit.

Makers of popular hardware and software products will get help from WikiLeaks in fixing security flaws that were revealed in a recent leak of sensitive C.I.A. cyber tools.

The leak distribution website this month released thousand of pages detailing how American and allied spies hack into computers, Apple and Android smartphones, and even smart TVs.

But the hundreds of millions of lines of code did not include complete details for creating the cyberweapons, and WikiLeaks founder and editor Julian Assange announced that his organization would work with the vendors to address vulnerabilities before making the full codes public.

“After considering what we think is the best way to proceed and hearing these calls from some of the manufacturers, we have decided to work with them to give them exclusive access to additional technical details we have, so that fixes can be developed and pushed out,” Assange said during a news conference. “Once this material is effectively disarmed by us, we will publish additional details about what has been occurring.”

The document dump appears to reveal secret C.I.A. cyber-tools, including “malware, viruses, Trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation,” WikiLeaks said in a statement at the time.

Following the disclosure, WikiLeaks posted a poll on its Twitter page asking followers how the organization should proceed.

“Tech companies are saying they need more details of CIA attack techniques to fix them faster,” said a version of the tweet captured and posted by the cybersecurity blog Krebs on Security. “Should WikiLeaks work directly with them?

At the time, the poll had generated 38,205 responses, with 57 percent voting “yes, make people safe,” and 36 percent voting “no, they’re the problem.”

Assange suggested that some of the fixes could be developed and released in a few days, while others, like those involving the critical code for phones and smart TVs, could take much longer.

Tim Bandos, director of cybersecurity at security firm Digital Guardian, told MSPmentor recently that his firm was eagerly awaiting the release of patches related to the holes exposed by the C.I.A. hacking documents.

“Every vulnerability will be different,” he said. “I think, really, the delay is going to be in getting (patches) deployed out to the consumers.”

“If you look at the smart TVs, they’ll have to update the firmware,” Bandos added. “You can’t just automatically push that out.

“Someone is going to have to connect to the Internet and download the update. There’s going to be a lag.”

Send tips and news to MSPmentorNews@Penton.com.