The administration of the GitHub service has removed a real working exploit for the ProxyLogon vulnerabilities in Microsoft Exchange, though information security specialists have sharply criticized GitHub.Yesterday we wrote that an independent information security researcher from Vietnam published on GitHub the first real PoC exploit for a serious set of ProxyLogon vulnerabilities recently discovered in Microsoft Exchange. This exploit has been confirmed by renowned experts including Marcus Hutchins from Kryptos Logic, Daniel Card from PwnDefend and John Wettington from Condition Black.
At the same time, many experts noted that the public release of the PoC exploit now is an extremely dubious step. For example, recently Praetorian was severely criticized for much less harmful; “misconduct”: its specialists only published a detailed overview of ProxyLogin vulnerabilities, although they refrained from releasing their own exploit.
The point is that at least ten hack groups are currently exploiting ProxyLogon bugs to install backdoors on Exchange servers around the world. According to various estimates, the number of affected companies and organizations has already reached 30,000-100,000, and their number continues to grow, as well as the number of attackers.
Given the seriousness of the situation, within a few hours after the publication of the exploit, it was removed from GitHub by the administration of the service. Because of this, some members of the information security community were furious and immediately accused Microsoft of censoring content of vital interest to security professionals around the world.
For example, many researchers say that GitHub adheres to a double standard that allows a company to use PoC exploits to fix vulnerabilities that affect software from other companies, but that similar PoCs for Microsoft products are being removed.
On the same social network, Google Project Zero expert Tavis Ormandy argues with Marcus Hutchins. The latter says that he does not quite understand what benefits could bring publishing a working RCE exploit to at least someone, to which Ormandy replies:
In turn, Hutchins writes that the argument about the already fixed vulnerabilities is untenable, since about 50,000 servers around the world are still vulnerable.
GitHub told reporters that the exploit certainly had educational and research value for the community, but the company has to maintain a balance and be mindful of the need to keep the broader ecosystem safe. Therefore, in accordance with the rules of the service, the exploit for a recently discovered vulnerability, which is currently being actively used for attacks, has nevertheless been removed from the public domain.