Microsoft Criticized For Removing Exchange Exploit From GitHub

"Microsoft-owned GitHub has removed a proof-of-concept (PoC) exploit for critical ProxyLogon bugs in Microsoft Exchange, causing a backlash from security researchers," reports Inside.com's Developer newsletter: The exploit has recently led to infections of as many as 100,000 servers. Microsoft rushed out patches last week for the vulnerabilities in response to a number of Chinese groups exploiting the bugs.

"This is huge, removing a security researcher's code from GitHub against their own product and which has already been patched. This is not good," Dave Kennedy, founder of TrustedSec, tweeted.

"It's unfortunate that there's no way to share research and tools with professionals without also sharing them with attackers, but many people (like me) believe the benefits outweigh the risks," tweeted Tavis Ormandy, a member of Google's Project Zero.

Use the internet, Luke

[bjoast]

Instead of crying about what a private corporation decides to do, how about stop relying on centralized services for all your important needs?

Re:

[Escogido]

agreed, the world could defo use a blockchain-based alternative to github.

Re:

[Revek]

Use Sourceforge. They won't take it down. They might later claim it as their own but they won't take it down.

Re:

[adonoman]

Why block chain? Git already has signing built in and is decentralized. It's only GitHub that's the problem here.

Decentralized Github

[virtig01]

It's coming, and it's Radicle [radicle.xyz].

Re:

[Anonymous Coward]

And what if those policies were in effect before the current parent company took ownership?

Then they're still responsible for them... isn't this obvious? Microsoft get to choose whether to change the policies or keep them as they are - they're responsible for either choice.

Re:

[tmmagee]

That's not entirely fair. Microsoft is damned if it starts messing with github's policies and damned if it doesn't. Microsoft is the parent company, but that does not mean it is good for github's moral if Microsoft starts overruling github management.

Typical nerd arrogance

[ZombieCatInABox]

but many people (like me) believe the benefits outweigh the risks

So what you're saying is that your "belief" should be taken as gospel and every other individual or business that doesn't share that belief is wrong ?

Typical fucking security "researcher" nerd arrogance. Fuck you.

Re:

[Impy the Impiuos Imp]

The article immediately before this one is about how that same exchange server is experiencing "escalated attacks."

Nope, they didn't say that. I do disagree with the

[raymorris]

As it happens, I disagree with them.
We CAN share information in ways that it's pretty available to the appropriate people, the white hats, but not readily available to all the script kiddies. We actually do that regularly.

That said, no they did NOT say their opinion is gospel and everyone else is wrong. They stated their belief based in their relevant experience.

You responded to that with a straw man attack that's neither true not particularly relevant to the issue being discussed. Probably because you d

Re:

[Mattcelt]

Fuck you.

You know, I think I may have pinpointed why he is a trusted expert who gets quoted in major articles because people actually value his opinion, and you are, well... you.

Re:

[drinkypoo]

I love to cuss up a storm, and I have been offered the chance to write a recurring column for a Linux magazine. If I had taken it (I was too busy with life stuff at the time) I would have simply not cussed in the articles.

Profanity is not the career-ender you imagine it to be

It's the right call

[zuckie13]

I know it's fun to be upset at Microsoft, but I think this is the right call. This attack is in the wild, plenty of servers that still need to be patched, and posting this (what was posted was a non-working proof of concept that probably could be gotten to a working one with other available information) in a wide open place like github was not a good idea. To me it's the same as selling something that's not a gun that's missing one part that can be bough somewhere else that's easy to find.

Surly if the fol

Re:

[Tom]

This attack is in the wild, plenty of servers that still need to be patched,

You really think there are many bad guys out there who don't have the exploit already? Ah... what I would give to live in your world of naive comfort...

Re:

[zuckie13]

Better than living in your world where we just give up even trying.

Re:

[Bu11etmagnet]

As my grandfather used to say: "There are no high fences, only lazy burglars".

Removing the exploit from GitHub erects a very, very low fence.

Re:It's the right call

[Tom]

Give up? Boy, I spend every hour of every working day and way too much of my spare time thinking about and working on improving IT security and I've done that for 20+ years.

Closing the barn door after the horse has not only left but has already been seen in the neighbouring village is bullshit. I'm not surprised that the epicenter of incompetence has done it, flailing around as they are whenever a big thing hits, as they've always done.

But everyone knows that shooting at where the enemy is now only wastes ammo. You need to shoot at where the enemy will be when your bullet gets there. And right now, the enemy is not trying to figure out the exploit, the enemy is compromising servers by the thousands. The enemy already has the exploit, has already weaponized it, has already deployed it in large-scale attacks and is already using it as a delivery system for further attacks. The enemy is four steps ahead of figuring out the exploit, but hey, let's pull some code off the Internet because that will do... what, exactly?

(don't bullshit me with it will prevent script kiddies to join the currently ongoing attacks. If you're worried about script kiddies in this, we need to have a serious discussion about why your threat model and risk analysis suck so badly.)

Re:

[Tom]

hosting it on the largest and most popular code hosting site is harmful to users,

You state that as a fact but never explain it.

How, exactly, is it harmful to users? Be specific.

Not sure why you have such a vested interest in this being hosted on github

I don't. If I would give one shit about MS exchange, I'd already have a copy. I'm just saying that pulling it is stupid and does nothing. It's a "look we are doing something to protect you" gesture that will fool some people who should be on red alert instead. Giving them a false sense of security is what will harm them. Some of the dumber ones will now think that the problem is solved (don't tell me nobody can b

Re: It's the right call

[PrescriptionWarning]

The reason for it to be in GitHub isn't for the bad people, they already have it. It's more useful for the good people to be able to prove if they themselves are vulnerable and to confirm they are no longer vulnerable after patching.

told you so...

[Tom]

Is it already time to pull out the "told you so" from back when the evil empire acquired Github?

If you haven't moved your code off Github unto some other service yet, now's the time.

Re:

[Tom]

There are plenty of exploits live on Github as of this moment, the most simple search will turn them up.

Plus there is a difference between an independent company pulling code for someone else and when it's your mother company. One has a smell.

And I'm by far not the only security expert in the world who is speaking out against this move.

Re:

[Tom]

Pull all exploit code, or pull none. Don't be selective.

Also, see my other answers, this doesn't actually do anything and might create a false sense of security.

Re:

[exomondo]

Is it already time to pull out the "told you so" from back when the evil empire acquired Github?

You told everyone that MS would not change the existing github policies when it acquired them? It’s against Github’s ToS so why would you expect that they wouldn’t do this?

Re:

[Tom]

Nope, just told everyone that Github can no longer be trusted.

When you live in, say, Turkey, and Erdogan just put his son in charge of the bank that holds your family heirlooms in their vault, any smart person would move those to a different bank, not wait until the '"shit, I should've done it" moment.

This is MS protecting themselves because they own the place. If it were the same thing but about a competing product, I'm quite sure it would be removed... a little less promptly.

But hey, don't believe me. I'v

Re:

[exomondo]

This is MS protecting themselves because they own the place.

I'm not sure how this has anything to do with Microsoft, this was Github policy before the Microsoft acquisition.

Re:

[drinkypoo]

It was time at the time.

I removed my repos from github as soon as the announcement was made.

Re:

[Tom]

So did I.

Surprisingly though, github is still the main player and only a small number of projects moved off it.

TOS Violation

[Orange Man Bad]

Hosting exploits at GitHub in a public repo is a TOS violation.

So, what's the big deal? GitHub is owned by a corporation. They have rights. Their rights to their property exceed your rights to use their property except as defined within the TOS which they also have the right to re-write at any time without grandfathering in anything.

It's theirs.

Just like Twitter and other social media has the absolute right to ban, shadow ban, purge, or whatever they want to whomever they want on their servers, so does M

Re:

[diamondmagic]

Nobody has argued that Microsoft has no right to take down repositories. Please, name the person who has.

We're arguing that they shouldn't.

Ladies, Gentlemen, and Smizmars:

[McFortner]

Let's take a look at the parallel universe right next door on year in the future. On it's /. we see the headlines "Microsoft sued for not removing Exchange Exploit from GitHub, allowing development of 'Knock-Knock' worm that crashed the Internet for three weeks just two months ago."

Damned if you do, damned if you don't.