WikiLeaks says it will work with software vendors to fix CIA zero-day exploits… but when?

Graham Cluley

WikiLeaks says it will work with software vendors to fix CIA zero-day exploits

Julian Assange graffiti

Julian Assange’s WikiLeaks didn’t earn itself much love from the infosec community when it (incorrectly) claimed in its Vault 7 press release that encrypted chat apps like Signal and WhatsApp had been cracked by the CIA (they haven’t), and some in the media made the mistake of getting very excited with the concept that your Samsung TV might have been remotely hacked to spy on your conversations (it hasn’t).

The reality is that the vast majority of us should be worrying much more about being phished by the next email we receive than by WikiLeaks’s revelations of alleged zero-day vulnerabilities held only by the CIA.

Nonetheless, if there are unpatched vulnerabilities in Android, iOS, Windows etc that law enforcement agencies are aware of (and potentially using) but have not informed the software manufacturer about then that’s a big problem.

Because if an intelligence agency has worked out a way of hacking a smartphone remotely, for instance, then there’s a chance that others have worked it out too. Including criminal gangs or rogue nation states.

The best course of action for millions of innocent technology users around the world is for vulnerabilities to be responsibly reported and patched quickly by vendors.

Put simply: If, say, the CIA doesn’t share details with a technology firm about the exploitable flaws it has discovered there is a chance that the very people the CIA is trying to protect could themselves be hacked.

So, I was pleased to hear Assange say at an online press conference that WikiLeaks had decided to share details of the vulnerabilities with the relevant vendors so fixes could be rolled out:

“We have decided to work with them, to give them some exclusive access to the additional technical details we have so that fixes can be developed and pushed out so that people can be secured. And then, once this material is effectively disarmed by us, by removing critical components, we will publish additional details about what has been occurring.”


What a shame that Assange did not co-ordinate with vendors *before* releasing the “Vault 7” data dump. What a positive story that could have been.

As Forbes reports, WikiLeaks doesn’t yet seem to have shared any details with Google and Microsoft at least.

Let’s hope that this information-sharing is happening as we speak, so any remaining vulnerabilities are not left unpatched for any day longer than necessary. Any delay in sharing the details would reflect very poorly on Assange and his WikiLeaks organisation.

You can hear some of my personal views about WikiLeaks’s release of the “Vault 7” CIA data dump in last week’s “Smashing Security” podcast where I was joined by Carole Theriault and special guest Paul Ducklin (better known as “Duck”).

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.