How much are vendor security assurances worth after the CIA leaks?

Lucian Constantin

Following the recent revelations about the U.S. Central Intelligence Agency's cyberespionage arsenal, software vendors reiterated their commitments to fix vulnerabilities in a timely manner and told users that many of the flaws described in the agency's leaked documents have been fixed.

While these assurances are understandable from a public relations perspective, they don't really change anything, especially for companies and users that are the target of state-sponsored hackers. The software they use is not less safe, nor better protected, than it was before WikiLeaks published the 8,700-plus CIA documents last Tuesday.

The leaked files describe malware tools and exploits used by the CIA's cyber divisions to hack into all major desktop and mobile operating systems, as well as into networking gear and embedded devices like smart TVs. The documents don't contain the actual code of those tools and some of the supposedly more telling descriptions have been redacted.

WikiLeaks founder Julian Assange said that his organization will share unpublished details with software vendors so that the vulnerabilities can be patched. But even if WikiLeaks does that, it's important to realize that the information only represents a snapshot in time.

The most recent date string in the documents is from early March 2016, potentially indicating when the files were copied from the CIA's systems. Some of the exploit listings suggest the same.

For example, the page describing exploits for Apple's iOS contains a table that has them arranged by iOS version. That table stops at iOS 9.2, which was released in December 2015. The next significant update, iOS 9.3, was released in late March 2016.

One kernel exploit, codenamed Nandao, which was obtained from the U.K.'s GCHQ, is listed as working for iOS versions 8.0 to 9.2. Does that mean that it doesn't work on iOS 9.3 or even more recent versions of the operating system? Not necessarily. It's more likely that the table stops at 9.2 because that was the latest version of iOS when the CIA files were copied.

Moreover, it's highly unlikely that Apple can tell if this and other exploits have been patched or not without additional details. The only description for "Nandao" is that it's a heap overflow memory corruption vulnerability, and there's no indication for which kernel component it's actually located in.

"Unless Apple obtained full details and/or the exploits as well as performed a thorough root cause analysis, Apple can't be sure that newer versions aren't affected," Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email.

That's also the case for flaws affecting other software. Eiram's company was able to confirm that some have been patched, but some still work in the latest versions of the programs they affect, like a DLL hijacking flaw in the Prezi Desktop presentation software.

1  2  Next Page