China delayed flaw notification to exploit them: researchers

By on
China delayed flaw notification to exploit them: researchers
CNNVD page with backdated details on a Microsoft Office vulnerability exploited in the wild. Source: Recorded Future.

Flaws backdated in national database.

Security researchers claim China's Ministry of State Security delayed public notification and patch guidance for a number of vulnerabilities so they could be exploited by state hackers.

Researchers at security vendor Recorded Future compared how China's national vulnerability database (CNNVD) published information about IT threats with its United States equivalent.

They found that the Chinese government had altered the original publication dates for at least 267 vulnerabilities to make it appear they had been published earlier than they actually were.

The researchers claim this indicates the government had delayed publication in order to evaluate the flaws for internal use by the Ministry of State Security (MSS), China's foreign and national intelligence service.

Original publication dates were also altered so as to hide which vulnerabilities the MSS might be using at any given time, Recorded Future claims.

There was "no other logical explanation" for the "systemic retroactive alteration of original publication dates", the researchers argued, but did not provide proof for this assertion.

"The selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities," they said.

"Changing the dates after publication prevents researchers from conducting bulk historical analysis of CVE publication and from identifying vulnerabilities which the MSS or Chinese intelligence services may be exploiting in operations."

They did however find direct evidence that initial CNNVD publication dates for vulnerabilties were backdated, in one case by 236 days, to match those of the US NVD.

They cited two particular CVEs that had been backdated: the CVE-2017-0199 vulnerability against Microsoft Office and Windows Wordpad, and CVE-2016-10136, which exfiltrates large amounts of data from Android phones sold in China and the United States.

Recorded Future conducted an initial study of CNNVD last November to assess how quickly details of vulnerabilities were published.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
china cve recorded future security

Most Read Articles

Telstra sets $65 a month as minimum spend to get 5G access

Telstra sets $65 a month as minimum spend to get 5G access
Woolworths pays record $1m fine for spamming customers

Woolworths pays record $1m fine for spamming customers
Siemens chases Telstra customers over alleged cracked software use

Siemens chases Telstra customers over alleged cracked software use
Australia Post to expand its network transformation

Australia Post to expand its network transformation
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?