Microsoft Says China Is Abusing Vulnerability Disclosure Requirements To Hoard Exploits
Plenty of countries have vulnerability disclosure requirements in place. This is supposed to increase the security of all users by requiring notification of affected platforms or software of exploits that may be used by malicious entities.
Define malicious entity" tho.
The NSA has never abided by these requirements, despite being the free world leader in surveillance. It would rather delay notification than give up vulnerabilities that give it an upper hand on its surveillance targets. And if the NSA is doing it, then everyone is doing it. Say what you will about the NSA (lord knows I have), but it likely has more oversight than any other government surveillance entity in the world.
And if the NSA feels comfortable blowing off mandates to maintain its surveillance capabilities, it's unlikely a government that deploys one of the most pervasive and invasive domestic surveillance programs in the world is going to care what Microsoft has to say about its actions.
The Chinese government has issued mandates requiring increased vulnerability reporting from hardware and software providers that do business in China. This would obviously include Microsoft. But this isn't being done to make citizens safer. It's being done to allow the Chinese government to make use of vulnerabilities reported to the government on its one-way disclosure street.
Somehow, the entity heading up US Homeland Security efforts sees nothing wrong with how the Chinese government handled vulnerability disclosures, as reported by Jonathan Greig for The Record.
Concerns that the Chinese military would exploit vulnerabilities before reporting them more broadly was an integral part of the investigation into the handling of the widespread Log4j vulnerability. Reports emerged earlier this year that the Chinese government had sanctioned Alibaba for reporting the vulnerability to Apache first, rather than to the government.
The Homeland Security Department's Cyber Safety Review Board spoke with the Chinese government and did not find evidence" that China used its advanced knowledge of the weakness to exploit networks.
Maybe the DHS just didn't look hard enough. There's evidence this isn't the case, as Microsoft stated in its latest security report [PDF].
[I]n a 114-page security report released on Friday, Microsoft openly accused the Chinese government of abusing the new rules and outlines how state-aligned groups have increasingly exploited vulnerabilities globally since they were implemented.
Here's what the report says about the new reporting mandate and how the Chinese government is using the mandate to further its own aims:
China's vulnerability reporting regulation went into effect September 2021, marking a first in the world for a government to require the reporting of vulnerabilities into a government authority for review prior to the vulnerability being shared with the product or service owner. This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them. The increased use of zero days over the last year from China-based actors likely reflects the first full year of China's vulnerability disclosure requirements for the Chinese security community and a major step in the use of zero-day exploits as a state priority. The vulnerabilities described below were first developed and deployed by China-based nation state actors in attacks, before being discovered and spread among other actors in the larger threat ecosystem.
Unsurprising if true. This was always the goal of the new disclosure mandates. The Chinese government appears to have opened up a one-way portal that allows it to use reported exploits while keeping affected users in the dark. Unfortunately, it's not all that unlike how the NSA has treated its disclosure requirements and the temptation to weaponize reported vulnerabilities often results in delayed disclosure to companies whose products and users are affected.
And this report won't make anything better. China will continue to be China. And other nations might decide it's in their best interest to start hoarding exploits, if for no other reason than to defend themselves against foreign governments and/or re-purpose exploits to go on the offensive. The internet is everyone's playground. Unfortunately, it's inhabited by far too many powerful bullies.