At the same time, many noted that the public release of the PoC exploit now is an extremely dubious step. For example, recently Praetorian was severely criticized for much less “misconduct”: its specialists only published a detailed overview of ProxyLogin vulnerabilities, although they refrained from releasing their own exploit.
The point is that at least ten hack groups are currently exploiting ProxyLogon bugs to install backdoors on Exchange servers around the world. According to various estimates, the number of affected companies and organizations has already reached 30,000-100,000, and their number continues to grow, as does the number of attackers.
Given the seriousness of the situation, within a few hours after the publication of the exploit, it was removed from GitHub by the administration of the service. Because of this, some members of the information security community were furious and immediately accused Microsoft of censoring content of vital interest to security professionals around the world.
For example, many researchers say that GitHub adheres to a double standard that allows a company to use PoC exploits to fix vulnerabilities that affect software from other companies, but that similar PoCs for Microsoft products are being removed.
“Wow. I have no words. Microsoft has indeed removed the PoC code from GitHub. It is monstrous to remove the IS researcher code from GitHub, directed to their own product, which has already received patches. ” writes on Twitter Dave Kennedy, founder of TrustedSec.
On the same social network, Google Project Zero expert Tavis Ormandy argues with Marcus Hutchins. The latter says that he does not quite understand what benefit publishing a working RCE exploit could bring to at least someone, to which Ormandy replies:
“Is there a benefit to Metasploit, or is it literally everyone who uses it is scriptkiddy? Unfortunately, it is impossible to share research and tools with professionals without also sharing it with attackers, but many people (like me) believe that the benefits outweigh the risks. “
In turn, Hutchins writesthat the argument about the already patched vulnerabilities is untenable, as some 50,000 servers around the world are still vulnerable.
“” Patches are out now. ” Dude, there are over 50,000 unpatched Exchange servers. Releasing a fully operational RCE chain is not a security study, it is folly and folly.
I’ve seen GitHub remove malicious code before, and not just code that targets Microsoft products. I highly doubt MS played any role in this removal, [эксплоит] he was simply violating GitHub’s active malware or exploit policy, as it was new and threatened with ransomware attacks on a huge number of servers, ”says Hutchins.
Representatives of GitHub told reportersthat the exploit, of course, had educational and research value for the community, but the company has to maintain a balance and remember to keep the wider ecosystem safe. Therefore, in accordance with the rules of the service, the exploit for a recently discovered vulnerability, which is currently being actively used for attacks, has nevertheless been removed from the public domain.