You can stop worrying: WikiLeaks is holding onto the zero-day exploits in its CIA trove of documents until developers can fix them.
WikiLeaks made history this week by releasing the largest trove of confidential CIA documents ever, including over 7,818 web pages, 943 attachments, and hundreds of millions of lines of code. Called “Vault 7,” the collection included a slew of hacking and cyber espionage tools used by the CIA between 2013 and 2016.
Among the tools that were leaked are various malware, viruses, and remote control systems capable of infecting Windows, MacOS, Linux, Android, and iOS. WikiLeaks released general information about the tools, but it also possesses the details of a number of weaponized “zero-day” vulnerabilities — which the organization isn’t releasing just yet, as Krebs on Security reports.
Zero-day vulnerabilities are bugs that have opened software up to active exploits and about which the software’s developer is unaware. Google has its own Project Zero, which identifies zero-day vulnerabilities, notifies the developer, and then waits 90 days before it publishes the vulnerability — whether or not the developer has fixed it.
WikiLeaks editor-in-chief Julian Assange has indicated that his organization won’t be following Project Zero’s lead. In a WikiLeaks press conference, Assange said, “After considering what we think is the best way to proceed, and hearing these calls from some of the manufacturers, we have decided to work with them to give them exclusive access to additional technical details we have, so that fixes can be developed and pushed out.”
Only when the vulnerabilities are patched will WikiLeaks publish the details. WikiLeaks posted a poll on Twitter, and the majority of respondents answered that the organization should work with technology companies on fixes. The next most popular response was, “No, they’re the problem.”
Tech companies are saying they need more details of CIA attack techniques to fix them faster. Should WikiLeaks work directly with them?
— WikiLeaks (@wikileaks) March 8, 2017
WikiLeaks didn’t provide any additional information on how it would be working with developers to ensure the zero-day vulnerabilities are fixed or on how long it expected the process to take. While the documentation that has already been leaked could lead to exploits, at least the details required to easily make use of these now-known vulnerabilities won’t be making it to the wild before patches can be created and provided to users.