The Communications and Electronics Security Group (CESG), the information security arm of GCHQ, was credited with the discovery of two vulnerabilities that were patched by Apple last week.
The flaws could allow hackers to corrupt memory and cause a denial of service through a crafted app or execute arbitrary code in a privileged context.
The memory handling vulnerabilities (CVE-2016-1822 and CVE-2016-1829) affect OS X El Capitan v10.11 and later operating systems, according to Apple's 2016-003 security update. The memory corruption vulnerabilities allowed hackers to execute arbitrary code with kernel privileges.
The disclosure raises questions about the use of zero day exploits by the UK's GCHQ, and intelligence agencies internationally. Security information professionals see competing priorities from intelligence agencies in how they make use of vulnerabilities.
John Bambenek, senior threat researcher at Fidelis Cyber-security, noted that intelligence agencies primary duties of gathering information on potential adversaries and protect their constituencies do not always align. In an email to SCMagazine.com, he said, “If I were running such a programme I might be inclined to hold vulnerabilities secret but once those are used by other less-than-friendly nations there is a clear danger that needs to be remediated by working with the vendor to repair them.”
Yehuda Lindell, a cryptography professor at Bar Ilan University and chief scientist at Dyadic Security, said the GCHQ could have disclosed the vulnerabilities to Apple because they are no longer needed, the agency may have multiple vulnerabilities that achieve the same end, or they may have a better tool. “It's pure speculation,” he told SC.
The issue of intelligence agencies' exploits using zero day exploits set off a vigorous debate in the US last year. In November 2015, the Office of the Director of National Intelligence (ODNI) disclosed the Vulnerabilities Equities Process, a document that governs the use of zero day vulnerabilities by intelligence agencies. The document, while classified, had been long known to civil liberty and privacy groups.
In April 2014, White House Cybersecurity Coordinator Michael Daniel argued that it “would not be in our national security interest” for US intelligence agencies to amass a “stockpile of undisclosed vulnerabilities while leaving the internet vulnerable,” in a White House blog post. However, he also cautioned against the argument “that we should completely forgo this tool as a way to conduct intelligence collection”.
Daniel added, “Weighing these tradeoffs is not easy, and so we have established principles to guide agency decision-making in this area. We have also established a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”
In January, ODNI rescinded redactions to the Vulnerabilities Equities Process, in response to a Freedom of Information Act lawsuit filed by the Electronic Frontier Foundation (EFF). The policy confirmed suspicions that zero day vulnerabilities were used in law enforcement activities, in addition to espionage activities for intelligence agencies.
The tone of the public dialogue involving intelligence agencies has led to an erosion of trust, Lindell noted. “What has happened to the public perception?” he asked. “I know it's not healthy.”