back to article China is likely stockpiling and deploying vulnerabilities, says Microsoft

Microsoft has asserted that China's offensive cyber capabilities have improved, thanks to a law that has allowed Beijing to create an arsenal of unreported software vulnerabilities. China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The …

  1. sreynolds

    It's a case of supply and demand...

    Redmond produces the shit (probably in HyrderaBAD) and the Chinese just cant enough of it.

    1. The Man Who Fell To Earth Silver badge
      FAIL

      Re: It's a case of supply and demand...

      Now if only Microsoft felt this was important enough to have an internal security team tasked with finding zero days in it's own software. Cost of such a team would be a rounding error on it's balance sheet.

      1. J.Teodor

        Re: It's a case of supply and demand...

        You mean, something like their Red Team? https://www.wired.com/story/microsoft-windows-red-team/

        1. Anonymous Coward
          Anonymous Coward

          Re: It's a case of supply and demand...

          That link is from 2018. After the ransomware shenanigan's of the last couple of years I'd have to say they were disbanded not long after.

  2. mark l 2 Silver badge

    How is that any different than what the NSA do with stuff like EternalBlue in which the vulnerability was not disclosed to Microsoft and ended up getting leaked by the Shadow Brokers?

    I suspect that every developed nation is now using these tactics in their cyber warfare

    1. Mr Finance

      It's a huge difference. The CCP has every Chinese IT worker bound by law to report vulnerabilities to them first. Nation state hacking teams number maybe a few thousand staff. For the last year, China has effectively had c. 5m working on it.

    2. casperghst42

      Exactly my first thought.

    3. Anonymous Coward
      Anonymous Coward

      Difference between "own goal" and "goal"

      How is that any different than ...

  3. AnotherName
    Facepalm

    Cut them off at source

    Perhaps Microsoft could stop manufacturing vulnerabilities in the first place?

    1. This post has been deleted by its author

      1. Mike 137 Silver badge

        Re: Cut them off at source

        Now that most applications are so huge and complex, vulnerabilities are almost inevitable. The sin is inadequate testing so they get released into the public space.

        Unfortunately it clearly is cheaper to release buggy code and issue patches than to test properly and release clean code. Otherwise things would be different.

        1. Primus Secundus Tertius

          Re: Cut them off at source

          Firstly, the days of standalone programs are long over; they all rely on subroutines which themselves rely on subroutines. Nobody is ever going to check all that. Secondly, so many rely on networking, which introduces so many interruptions to otherwise simple logic.

          Finally, nobody seems to use flowcharts to assist in creating sound logic.

          1. Mike 137 Silver badge

            Re: Cut them off at source

            "Nobody is ever going to check all that"

            Source code checking by hand is obviously not feasible in that case. However, all exploitable vulnerabilities depend on interaction with the software (otherwise they'd not be exploitable), and there are numerous ways to check runtime interaction (many of them fully automated).

            The source of the problem is the primary emphasis on "user acceptance" on the assumption of valid interaction, at the expense of testing for edge cases. The reason for this is almost certainly the dominant desire to get the application out the door, coupled with the absence of any effective redress for the user.

          2. GruntyMcPugh

            Re: Cut them off at source

            Flowcharts? We just don't code like that any more. I think the utility of flowcharts ended in the era of subroutines.

          3. Claptrap314 Silver badge

            Re: Cut them off at source

            So how do the bad guys find them?

            This is a market failure, plain and simple. The buyer entirely lacks the ability to evaluate security, and as only a very limited ability to even value it in the first place. Not that government intervention is likely to help much if at all.

            Companies release garbage software because the market tolerates it. They can do a LOT better. It's just that they would lose market share if they did.

      2. gerryg

        Re: Cut them off at source

        I think a small difference is that selling you the same stuff again is a business model (not only but including Microsoft) I'm not really convinced that closed source software suppliers ever really gave one about vulnerabilities until it was embarrassing to do otherwise.

        Blaming China feels a little bit like "dog ate my homework".

        If they gave more of a shit in the first place there would be few vulnerabilities to care about.

  4. Pete 2 Silver badge

    They are not alone

    > "might" be enabling the Chinese government to weaponize the vulnerabilities.

    Presumably doing precisely what every other actor in the field of cyber espionage is doing. The only difference is that nobody is talking about what is happening behind the closed doors of western (and others) security services.

    1. Version 1.0 Silver badge
      Unhappy

      Re: They are not alone

      Everything is limited so there's no way to know but I started seeing lots of viruses and phishing from China once we started selling products into China about 22 years ago, my opinion is that originally this was just localized hackers accessing our customers computers all the time.

      Maybe the Chinese government has hired a lot of the hackers but talking with Chinese friends suggests that they have worse hacking issues that the West does ... given today's environment it's impossible to know what's causing what we see happening every day.

    2. amanfromMars 1 Silver badge

      Re: They are not alone

      The only difference is that nobody is talking about what is happening behind the closed doors of western (and others) security services. .... Pete2

      Internal revolt and virtually autonomous strife and deep paranoid introspection resulting from their mounting failures to continue effectively defending and pimping the indefensible, and attack the most unlikely probable and previously imagined impossible, is not something to talk about, alerting and encouraging as it would/does, although it would be a mistake to think any such encouragement be needed, further foreign developments along similar lines of applied intelligence to produce greater successful stealthy secretive incursions/extractions for guaranteed deeper and dark webbed cyber espionage field advantage. Digging a deeper hole in which one finds oneself captured and unable to escape is not something to crow about and share with anybody listening or interested and either unable or unwilling to help, methinks.

      And one doesn't need to be a genius to know what that western security services problem delivers to others in reality fields dependent upon their services.

      1. Anonymous Coward
        Anonymous Coward

        How olde art thee?

        Methinks thee wilt beest a contemp'rary of shakespeare.

  5. Al fazed
    Unhappy

    Microsoft said China is, "particularly proficient" when it comes to discovering and developing zero-day exploits.

    Funny I always thought that Microsoft was developing the bugs without any help from China !

    ALF

  6. Anonymous Coward
    Anonymous Coward

    I must give Microsoft credit where credit is due

    .. it is not like it is not giving you many, MANY reasons to avoid it like the unsafe plague it is.

    To me it reads as a continuous demonstrator to its investors just how locked in its customers are. Security vulnerabilities, productivity destroying UI changes, updates and reboots, ever increasing resource demands (for what? Animating cursors? What IS a computer doing otherwise when you're just typing a letter?), extracting metrics and God knows what data from its users (ah, that answers the previous question), licensing games and in general badly written code, which may explain the security problems in the first place. When you are busy sticking plasters on plastered plasters it's really time to replace that tire.

    But no, instead they run a team that finds vulnerabilities in the products of OTHERS.

    There are a few more grave things wrong with Microsoft products, but I'm not going to get into that right now. It'll be more interesting to place that evidence where it belongs and see if authorities are willing to act or will demand more bribes free lunches from Microsoft reps. Because THAT, they appear to have down to perfection.

  7. simonb_london

    False alarm!

    "Stockpiling and deploying vulnerabilities" is just Microsoft's way of saying "writing and selling software".

  8. VoiceOfTruth

    Pots and kettles

    -> The 114-page report detailed other tactics – such as China's participation in foreign propaganda operations, alongside Russia and Iran

    Ha ha ha! As though the USA doesn't.

  9. Anonymous Coward
    Anonymous Coward

    Спасибо за то, что вы являетесь тем, кого мы называем Полезным Идиотом.

    1. amanfromMars 1 Silver badge

      Re: Спасибо за то, что вы являетесь тем, кого мы называем Полезным Идиотом.

      Howdy, AC

      According to one acclaimed genius, Albert Einstein, there's an endless supply of those open doors enabling release and anonymous third party exercise and exploitation of sequestered assets.

      The difference between stupidity and genius is that genius has its limits.

      Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.

    2. Anonymous Coward
      Anonymous Coward

      Cowardly hiding

      Машинный перевод с английского на русский?

      Это прозвучало слегка безжизненно, не так ли?

      Questions, questions, questions...

      Вопросы, вопросы, вопросы...

      A machine translation from English?

      It sounded slightly lifeless, didn't it?

  10. Anonymous Coward
    Anonymous Coward

    About Microsoft’s Presence in China

    Microsoft has had a presence in China for more than 20 years, entering the market in 1992. Our founder, Bill Gates, had the foresight to establish an office in Beijing, accurately predicting the country’s transition to the booming economy we see today.

    Microsoft has expanded its business across the country under its strategy of long-term investment and development. Today, our most complete subsidiary and largest R&D center outside the United States is in China. Microsoft has been working closely with customers and industry partners to realize innovation and both localize and land Microsoft technologies and solutions in China. Microsoft boasts a robust partner ecosystem with 17,000 partners. For every RMB that Microsoft earns in China, Microsoft partners earn 16. In early 2015, Microsoft was awarded “The World’s Top 10 Most Innovative of 2015 Companies in China ” by Fast Company magazine due to its local product strategy and commitments to helping Chinese partners, and was included as one of ” The Companies Remaking The Chinese Economy” along with Alibaba, Tencent, Baidu and other companies.

    Microsoft is committed to our Chinese customers and to enabling their success, supporting customers at the enterprise, city, provincial and national levels. Microsoft also attaches great importance to its social responsibilities and has been active in giving back to the local communities in which it operates. This includes supporting education and training initiatives, promoting innovation and local economic development and assisting in building a secure and open computing environment.

  11. Kev18999

    It's fud and diversionary doc to tell the world that China is to be blamed for all hacking and espionage information warfare when in fact. The US NSA is the worst offender. That's why the DOJ, NSA all wanted Eric Snowden and Manning to suffer so the secret that the NSA conducts the most hacking and surveillance around the world is discreet.

  12. Lordrobot

    Undoubtedly Chinese discovered vunerabilities that Microsoft built for NSA

    If Microsoft made socks they would be out of business... too many holes and too much complaining about customers.

    1. Fred Flintstone Gold badge

      Re: Undoubtedly Chinese discovered vunerabilities that Microsoft built for NSA

      Are you suggesting they should switch to making cheese instead?

      :)

  13. Charles Bu

    Hermit

    Hermit...in terms of anything trying to get *in*.

    They're quite happy to extrude their guts when it suits them though.

  14. DenTheMan

    I heard they are running out of vulnerabilities,

    Down to their last 2 million.

    1. Anonymous Coward
      Anonymous Coward

      Re: I heard they are running out of vulnerabilities,

      That merely tends to herald a new release..

  15. Anonymous Coward
    Anonymous Coward

    Let everybody make this rule

    "China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity."

    Other governments, businesses, etc... could make the same rule, and then...

    Who do you trust most with this information?

  16. Anonymous Coward
    Anonymous Coward

    Report BEFORE vs Report Only TO

    "China's 2021 law required organizations to report security vulnerabilities to local authorities before disclosing them to any other entity. The rules mean Beijing can use local research to hoard vulnerability information."

    The above statement makes no sense. According to the article the law requires that vulnerabilities be reported to local authorities BEFORE they are reported to anyone else. But the analysis and conclusion of the article proceeded as if the law requires them to report it to local authorities only with no further reporting to any one else allowing the POTENTIAL for the Chinese authorities to hoard and use the vulnerabilities for espionage..

    1. TheMeerkat Silver badge

      Re: Report BEFORE vs Report Only TO

      Requiring to report vulnerability to local authorities in countries like China means that the local authorities can selectively ban reporting the vulnerabilities any further.

      It is not an Anglo-Saxon legal system so you should not expect that people would report further until those in charge allow them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like