GitHub deletes Exchange exploit codeLast week, Microsoft patched four zero-day vulnerabilities in its Exchange server software. It's believed these "ProxyLogon" vulnerabilities are actively exploited by at least ten hacker groups, resulting in as many as 100,000 server infections over the past couple of weeks. ARS Technica writes Microsoft just made matters worse by deleting proof-of-concept exploit code that was published by a security researcher.
On Wednesday, the first largely working proof-of-concept (PoC) exploit code for the vulnerabilities got published by a Vietnamese security researcher. He wrote a Medium post to discuss the vulnerabilities and shared the code via GitHub. This is a standard practice among security researchers -- it's the response by GitHub that's so remarkable here. Just hours after the code went live, Microsoft-owned GitHub pulled down the code:
Within hours of the PoC going live, however, Github removed it. By Thursday, some researchers were fuming about the takedown. Critics accused Microsoft of censoring content of vital interest to the security community because it harmed Microsoft interests. Some critics pledged to remove large bodies of their work on Github in response.According to GitHub, the code got deleted because it violates the services's terms & condition:
“Wow, I am completely speechless here,” Dave Kennedy, founder of security firm TrustedSec, wrote on Twitter. “Microsoft really did remove the PoC code from Github. This is huge, removing a security researcher's code from GitHub against their own product and which has already been patched.”
We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited. -- GitHubWhile some security researchers are outraged by the action, others defend GitHub by stating the company has done this before, including for non-Microsoft products. There are various points of view here, with some believing it's reckless to publish remote code execution exploits when there are still tens of thousands of unpatched Exchange servers.