When Wikileaks released its cache of CIA documents earlier in March, it held back the details on zero-day exploits that would allow cybercriminals to access vulnerabilities in computer equipment used by the American public. Wikileaks promised to hold onto them until it could work with developers on making sure the vulnerabilities in question are patched.
That was a welcome tactic, theoretically, but it has apparently run into some snags. It appears Wikileaks attached some conditions to its cooperation and meeting those conditions might be problematic for some of the companies involved, Schneier on Security reports.
WikiLeaks provided an update via Twitter that laid out the fact that, according to the organization, some companies are hesitant to sign off on the conditions due to their U.S. security clearances:
Update on CIA #Vault7 "zero day" software vulnerabilities
— WikiLeaks (@wikileaks) March 18, 2017
There might be other conditions holding companies back. According to sources, one condition is a 90-day time limit on getting vulnerabilities patched. Such a condition would be similar to the practices of Google’s Project Zero, which has a hard limit of 90 days on how long it will wait to publish an exploit after information is shared with a vendor.
According to Motherboard, there might be other issues as well. Companies could be concerned about how the documents were procured and whether any of the information on the CIA hacks came from the Russian government. Regardless of the reasons, it’s clear that Wikileaks and the developers involved with the vulnerabilities have some distance between them on how to proceed in fixing and then disclosing the exploits.
In the meantime, there is a project underway that seeks to make sense of the 400 companies, products, and terms included in the Vault 7 cache of documents that Wikileaks has already published. If successful, the project would at least help anyone concerned about whether any of their devices have potentially been compromised.
This is a very fluid situation involved a number of organizations that all have stakes in the outcome. The information will likely make its way to the public sphere and so the only question remaining is what exactly will be the impact and whether or not all of the CIA hacks have been resolved.
- Microsoft misses another Edge-related 90-day security disclosure deadline
- Researchers defend the Ryzenfall disclosure, explain why exploits are dangerous
- Google found another critical security flaw in Microsoft Edge
- Qualcomm is working on patches to address Meltdown and Spectre flaws
- Nowhere is safe now that AMD has suffered its own Meltdown