China delayed flaw notification to exploit them: researchers

By on
China delayed flaw notification to exploit them: researchers
CNNVD page with backdated details on a Microsoft Office vulnerability exploited in the wild. Source: Recorded Future.

Flaws backdated in national database.

Security researchers claim China's Ministry of State Security delayed public notification and patch guidance for a number of vulnerabilities so they could be exploited by state hackers.

Researchers at security vendor Recorded Future compared how China's national vulnerability database (CNNVD) published information about IT threats with its United States equivalent.

They found that the Chinese government had altered the original publication dates for at least 267 vulnerabilities to make it appear they had been published earlier than they actually were.

The researchers claim this indicates the government had delayed publication in order to evaluate the flaws for internal use by the Ministry of State Security (MSS), China's foreign and national intelligence service.

Original publication dates were also altered so as to hide which vulnerabilities the MSS might be using at any given time, Recorded Future claims.

There was "no other logical explanation" for the "systemic retroactive alteration of original publication dates", the researchers argued, but did not provide proof for this assertion.

"The selective backdating of vulnerability publication for the outliers is essentially a tacit confirmation from CNNVD of their vulnerability evaluation program and the operational use of some delayed vulnerabilities," they said.

"Changing the dates after publication prevents researchers from conducting bulk historical analysis of CVE publication and from identifying vulnerabilities which the MSS or Chinese intelligence services may be exploiting in operations."

They did however find direct evidence that initial CNNVD publication dates for vulnerabilties were backdated, in one case by 236 days, to match those of the US NVD.

They cited two particular CVEs that had been backdated: the CVE-2017-0199 vulnerability against Microsoft Office and Windows Wordpad, and CVE-2016-10136, which exfiltrates large amounts of data from Android phones sold in China and the United States.

Recorded Future conducted an initial study of CNNVD last November to assess how quickly details of vulnerabilities were published.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
china cve recorded future security
In Partnership With

Most Read Articles

The CIO moves that made headlines in 2019

The CIO moves that made headlines in 2019
IBM appoints new Asia Pacific chief

IBM appoints new Asia Pacific chief
Google adds IBM Power to its cloud

Google adds IBM Power to its cloud
Defence, Tax Office fork out millions to keep Windows 7 secure for another year

Defence, Tax Office fork out millions to keep Windows 7 secure for another year
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Are you getting profitable outcomes from your IT?
Are you getting profitable outcomes from your IT?
Your Microsoft Security journey starts here
Your Microsoft Security journey starts here
Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?