WikiLeaks founder Julian Assange speaks from the balcony of the Ecuadorean Embassy in London. He promised to deliver details of CIA hacks to major tech companies affected by the leak, but Google and Microsoft are yet to be contacted, sources told Forbes. (AP Photo/Kirsty Wigglesworth, File)
It’s been two days since Julian Assange promised Wikileaks would hand over more information on Central Intelligence Agency (CIA) hacker tools to tech giants. That pledge followed a leak of nearly 9,000 documents that Wikileaks claimed belonged to CIA hacking units.
But while that altruistic move should help protect every one of their users from cyberattack, neither Google nor Microsoft had received details from Wikileaks on vulnerabilities in their software by Saturday morning, according to sources familiar with the companies’ security teams.
Google did not offer official comment, but two sources close to the company’s security staff said there had been no contact. One said there was now concern Wikileaks had duped the public with a PR move of little to no substance, though on Thursday one external Android security expert who’d reviewed the CIA files said it appeared there were multiple vulnerabilities Google would need to address.
“We’ve seen Julian Assange’s statement and have not yet been contacted,” a Microsoft spokesperson said in an emailed statement Friday, originally sent to press on Thursday the same day Assange claimed Wikileaks would help provide “antidotes” for CIA exploits before publishing them. As of Saturday, Microsoft had not provided any further update, after Forbes’ enquiries. Wikileaks had not returned requests for comment.
The Microsoft spokesperson added: “Our preferred method for anyone with knowledge of security issues, including the CIA or Wikileaks, is to submit details to us at firstname.lastname@example.org so we can review information and take any necessary steps to protect customers.”
While the Wikileaks Vault 7 leak also affected Apple products, from iPhones to Macs, the Cupertino firm had not provided any comment at the time of publication. Samsung, whose smart TVs were targeted by CIA hackers as part of a joint research project with Britain’s MI5 spy agency, also hadn’t responded to enquiries.
Apple, Google and Microsoft said many of the leaked CIA tools targeted older systems and that most were likely dealt with in past software updates. Despite such assurances, the tech giants’ were not confident enough to provide specifics or confirm all issues were patched.
Wikileaks ‘should publish malware’
And while there were few examples of actually usable code in the CIA Vault 7 leak, some Windows malware was uncovered by security expert Marc Maiffret, indicating Wikileaks may have mistakenly left it unredacted. Maiffret, who is chief technology officer at security firm BeyondTrust, posted an analysis of the Windows implant yesterday. He noted that publishing spyware was nothing like publishing vulnerabilities, as cybercriminals and other kinds of malicious hackers will already have access to such tools.
He urged Wikileaks to publish all malware code, however, and should “help defenders and work with technology companies affected by the vulnerabilities and exploits to produce patches for customers.”
“It is of course very time consuming and not always easy to analyze all of this technical data to figure out what parts are malware/implants vs. vulnerabilities/exploits. This is why they seemingly redacted all of that type of data in general except for this mistake here that I wrote about.”
Either Wikileaks is still triaging the data so it can hand useful data to the likes of Google and Microsoft or it just played the media and the public. If its the former, the security world wouldn’t mind some haste.
Got a tip? Email at TFox-Brewster@forbes.com or email@example.com for PGP mail. Get me on Signal on +447837496820 or firstname.lastname@example.org on Jabber for encrypted chat.