Security Experts:

Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge

The world’s largest software maker is warning that China-based nation state threat actors are taking advantage of a one-year-old law to “stockpile” zero-days for use in sustained malware attacks.

According to a new report released Friday by Microsoft, China’s government hacking groups have become “particularly proficient at discovering and developing zero-day exploits” after strict mandates around early vulnerability disclosure went into effect.

Microsoft made a direct connection between China’s vulnerability reporting regulation that went into effect September 2021 and a surge in zero-day attacks documented over the last two years. 

“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” Redmond said in the Microsoft Digital Defense Report 2022.

[ READ: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting ]

The Chinese regulation requires the reporting of vulnerabilities to a government authority for review prior to the vulnerability being shared with the product or service owner, providing a zero-day window for malicious exploitation.

“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft declared.

Microsoft documented multiple in-the-wild zero-day attacks linked to China’s state-backed hackers and noted that the time between the availability of security patches and exploitation continues to shrink rapidly. 

“These examples of newly identified vulnerabilities demonstrate that organizations have on average 60 days from the time a vulnerability is patched and a proof of concept (POC) code is made available online, and often picked up by other actors for reuse,” Microsoft said, pointing to a handful of attacks against software from SolarWinds, Zoho, Confluence and Microsoft’s own Exchange Server product. 

[ READ: New Law Will Help Chinese Government Stockpile Zero-Days ]

In the report, Microsoft acknowledges that the number of publicly disclosed zero-day vulnerabilities is the highest on record as malicious hackers -- both nation state and criminal --become more skilled at finding and exploiting software bugs before the vendor is even aware of their existence.

So far this year, there have been at least 42 documented in-the-wild zero-day attacks against widely deployed software products, with Microsoft among the oft-targeted vendor list.

“We have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,” the company said. “The commoditization of exploits is leading them to come at a much faster rate. Zero-day exploits are often discovered by other actors and reused broadly in a short period of time.”

Microsoft urged defenders to prioritize patching of zero-day vulnerabilities as soon as fixes are available and invest in tools to document and inventory all enterprise hardware and software assets to determine risk and to quickly determine when to act on patches.

Related: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: China May Delay Vulnerability Disclosures For Use in Attacks

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.