October 29, 2021

Criticism of Github for removal of exploit code Exchange vulnerabilities

Github is under fire for taking exploit code offline for vulnerabilities in Microsoft Exchange servers. The code was published after Microsoft released a patch for the vulnerabilities, but was still taken offline to the annoyance of users.

Critics fume after Github removes exploit code for Exchange vulnerabilities | Ars Technica

The code was put online by independent security researcher Nguyen Jang. With this code, with some minor adjustments, Exchange servers can be hacked without a patch. Github took the code offline within hours of its publication, according to Jang.

This is a sensitive issue because Microsoft owns Github. Several users were critical of Github’s action. For example security expert Dave Kennedy. In a message on Twitter, he threatens to remove his code from Github, because he thinks the company’s action is ridiculous.

A Github spokesperson confirmed in a statement to Motherboard that the code has been taken offline by the company. The spokesperson said that “while they understand that the publication and distribution of a proof-of-concept of an exploit is of educational and scientific value, it must be balanced with the safety of the entire ecosystem.” In this case, Jang’s code would be a threat to the servers that have not yet installed the new patch.

The vulnerabilities in Microsoft Exchange servers were discovered at the beginning of this year. Then it turned out that the vulnerabilities were actively exploited by Chinese hackers. It is estimated that hundreds of thousands of servers have been affected. These are four zero-day vulnerabilities that were in the 2013, 2016 and 2019 versions of Exchange Server. The vulnerabilities were fixed by Microsoft on March 2 .