Google has issued a statement stating that ‘many’ of the Android exploits reportedly used by the CIA have already been addressed. Google’s statement used similar wording to one issued earlier by Apple.
As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android already shield users from many of these alleged vulnerabilities. Our analysis is ongoing.
But the WSJ reports that they and other tech companies are being hampered by two factors …
The first is lack of any access to the code itself.
Companies now find themselves in a difficult position: They believe that at least two organizations have access to hacking code that exploits their products — the CIA and WikiLeaks — but neither one is sharing this software.
Cisco – whose devices were also targeted – says that this severely limits the ability of engineers to plug the holes described in the documents.
Cisco, which makes routers and other internet equipment, said that without more information on the exact tools and malware involved, “the scope of action that can be taken […] is limited.”
One possibility is that the leaks may force the government to disclose the vulnerabilities to tech companies through the Vulnerability Equities Process, but even if this happens, it is likely to take considerable time.
Officials are discussing whether to use that process to disclose more information about the issues described in the documents released by WikiLeaks, but that is likely to involve a lengthy interagency review, said one person familiar with the situation.
The second challenge is that the vulnerabilities described to date may be just the tip of the iceberg. It has been claimed that the 8,761 documents so far released by Wikileaks amounts to just 1% of the material it holds – meaning that a great many additional vulnerabilities exist.
It’s a scenario that could very well repeat itself again if WikiLeaks discloses new secrets allegedly taken from the CIA. The group says that it has now disclosed just 1% of the documents in its possession. “If it is the case that they have so much more, that, I think, will have a lot of people quite nervous,” said Thomas Rid, a professor of security studies with King’s College London.
Neither Google nor Apple has given any estimate of the percentage of the vulnerabilities which have already been patched.