China delayed flaw notification to exploit them: researchers

By on
China delayed flaw notification to exploit them: researchers
CNNVD page with backdated details on a Microsoft Office vulnerability exploited in the wild. Source: Recorded Future.

Flaws backdated in national database.

Security researchers claim China's Ministry of State Security delayed public notification and patch guidance for a number of vulnerabilities so they could be exploited by state hackers.

Researchers at security vendor Recorded Future compared how China's national vulnerability database (CNNVD) published information about IT threats with its United States equivalent.

They found that the Chinese government had altered the original publication dates for at least 267 vulnerabilities to make it appear they had been published earlier than they actually were.

The researchers claim this indicates the government had delayed publication in order to evaluate the flaws for internal use by the Ministry of State Security (MSS), China's foreign and national intelligence service.

Original publication dates were also altered so as to hide which vulnerabilities the MSS might be using at any given time, Recorded Future claims.

There was "no other logical explanation" for the "systemic retroactive alteration of original publication dates", the researchers argued, but did not provide proof for this assertion.

"The selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities," they said.

"Changing the dates after publication prevents researchers from conducting bulk historical analysis of CVE publication and from identifying vulnerabilities which the MSS or Chinese intelligence services may be exploiting in operations."

They did however find direct evidence that initial CNNVD publication dates for vulnerabilties were backdated, in one case by 236 days, to match those of the US NVD.

They cited two particular CVEs that had been backdated: the CVE-2017-0199 vulnerability against Microsoft Office and Windows Wordpad, and CVE-2016-10136, which exfiltrates large amounts of data from Android phones sold in China and the United States.

Recorded Future conducted an initial study of CNNVD last November to assess how quickly details of vulnerabilities were published.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
china cve recorded future security
In Partnership With

Most Read Articles

Telstra to cut at least 8000 jobs

Telstra to cut at least 8000 jobs
UNSW loses data after IBM storage failure

UNSW loses data after IBM storage failure
PageUp People revises data impacted by breach

PageUp People revises data impacted by breach
Telstra completely changes how it sells enterprise services

Telstra completely changes how it sells enterprise services
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Most popular tech stories

Log In

Username / Email:
Password:
  |  Forgot your password?