China delayed flaw notification to exploit them: researchers

By on
China delayed flaw notification to exploit them: researchers
CNNVD page with backdated details on a Microsoft Office vulnerability exploited in the wild. Source: Recorded Future.

Flaws backdated in national database.

Security researchers claim China's Ministry of State Security delayed public notification and patch guidance for a number of vulnerabilities so they could be exploited by state hackers.

Researchers at security vendor Recorded Future compared how China's national vulnerability database (CNNVD) published information about IT threats with its United States equivalent.

They found that the Chinese government had altered the original publication dates for at least 267 vulnerabilities to make it appear they had been published earlier than they actually were.

The researchers claim this indicates the government had delayed publication in order to evaluate the flaws for internal use by the Ministry of State Security (MSS), China's foreign and national intelligence service.

Original publication dates were also altered so as to hide which vulnerabilities the MSS might be using at any given time, Recorded Future claims.

There was "no other logical explanation" for the "systemic retroactive alteration of original publication dates", the researchers argued, but did not provide proof for this assertion.

"The selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities," they said.

"Changing the dates after publication prevents researchers from conducting bulk historical analysis of CVE publication and from identifying vulnerabilities which the MSS or Chinese intelligence services may be exploiting in operations."

They did however find direct evidence that initial CNNVD publication dates for vulnerabilties were backdated, in one case by 236 days, to match those of the US NVD.

They cited two particular CVEs that had been backdated: the CVE-2017-0199 vulnerability against Microsoft Office and Windows Wordpad, and CVE-2016-10136, which exfiltrates large amounts of data from Android phones sold in China and the United States.

Recorded Future conducted an initial study of CNNVD last November to assess how quickly details of vulnerabilities were published.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
china cve recorded future security
In Partnership With

Most Read Articles

Windows flaw lets Zoom leak network credentials, runs code remotely

Windows flaw lets Zoom leak network credentials, runs code remotely
Woolworths, Coles to raise tap-and-go limit to $200

Woolworths, Coles to raise tap-and-go limit to $200
Google location data shows Australia grinding to halt

Google location data shows Australia grinding to halt
Australia launches COVID-19 app, WhatsApp chat

Australia launches COVID-19 app, WhatsApp chat
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Here's the fast, cost-effective way to deploy Single Sign-On for Office 365
Here's the fast, cost-effective way to deploy Single Sign-On for Office 365
Driving business innovation through private cloud solutions
Driving business innovation through private cloud solutions
Future proofing your datacentre with hyperconverged infrastructure
Future proofing your datacentre with hyperconverged infrastructure
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
The Network for the Digital Business Starts with the Secure Access Service Edge (SASE)
Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?