Connect with us

Hi, what are you looking for?


Application Security

Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge

The world’s largest software maker is warning that China-based nation state threat actors are taking advantage of a one-year-old law to “stockpile” zero-days for use in sustained malware attacks.

The world’s largest software maker is warning that China-based nation state threat actors are taking advantage of a one-year-old law to “stockpile” zero-days for use in sustained malware attacks.

According to a new report released Friday by Microsoft, China’s government hacking groups have become “particularly proficient at discovering and developing zero-day exploits” after strict mandates around early vulnerability disclosure went into effect.

Microsoft made a direct connection between China’s vulnerability reporting regulation that went into effect September 2021 and a surge in zero-day attacks documented over the last two years. 

“The increased use of zero days over the last year from China-based actors likely reflects the first full year of China’s vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority,” Redmond said in the Microsoft Digital Defense Report 2022.

[ READ: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting ]

The Chinese regulation requires the reporting of vulnerabilities to a government authority for review prior to the vulnerability being shared with the product or service owner, providing a zero-day window for malicious exploitation.

“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft declared.

Advertisement. Scroll to continue reading.

Microsoft documented multiple in-the-wild zero-day attacks linked to China’s state-backed hackers and noted that the time between the availability of security patches and exploitation continues to shrink rapidly. 

“These examples of newly identified vulnerabilities demonstrate that organizations have on average 60 days from the time a vulnerability is patched and a proof of concept (POC) code is made available online, and often picked up by other actors for reuse,” Microsoft said, pointing to a handful of attacks against software from SolarWinds, Zoho, Confluence and Microsoft’s own Exchange Server product. 

[ READ: New Law Will Help Chinese Government Stockpile Zero-Days ]

In the report, Microsoft acknowledges that the number of publicly disclosed zero-day vulnerabilities is the highest on record as malicious hackers — both nation state and criminal –become more skilled at finding and exploiting software bugs before the vendor is even aware of their existence.

So far this year, there have been at least 42 documented in-the-wild zero-day attacks against widely deployed software products, with Microsoft among the oft-targeted vendor list.

“We have observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability,” the company said. “The commoditization of exploits is leading them to come at a much faster rate. Zero-day exploits are often discovered by other actors and reused broadly in a short period of time.”

Microsoft urged defenders to prioritize patching of zero-day vulnerabilities as soon as fixes are available and invest in tools to document and inventory all enterprise hardware and software assets to determine risk and to quickly determine when to act on patches.

Related: Moussouris: U.S. Should Resist Urge to Match China Vuln Reporting

Related: New Law Will Help Chinese Government Stockpile Zero-Days

Related: China May Delay Vulnerability Disclosures For Use in Attacks

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...