"Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge"

Microsoft is warning that China-based nation state threat actors are taking advantage of a one-year-old law to "stockpile" zero-days for use in sustained malware attacks.  According to Microsoft, China's government hacking groups have become "particularly proficient at discovering and developing zero-day exploits" after strict mandates around early vulnerability disclosure went into effect.  Microsoft was able to make a direct connection between China's vulnerability reporting regulation that went into effect in September 2021 and a surge in zero-day attacks documented over the last two years.  Microsoft stated that the increased use of zero days over the last year from China-based actors likely reflects the first full year of China's vulnerability disclosure requirements for the Chinese security community and a significant step in using zero-day exploits as a state priority.  Microsoft noted that the Chinese regulation requires the reporting of vulnerabilities to a government authority for review prior to the vulnerability being shared with the product or service owner, providing a zero-day window for malicious exploitation.  Microsoft stated that this new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities and weaponize them.  Microsoft was able to document multiple in-the-wild zero-day attacks linked to China's state-backed hackers and noted that the time between the availability of security patches and exploitation continues to shrink rapidly.  Microsoft is urging defenders to prioritize patching zero-day vulnerabilities as soon as fixes are available and invest in tools to document and inventory all enterprise hardware and software assets to determine risk and to quickly determine when to act on patches.

SecurityWeek reports: "Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge"