Github is censoring Proof of Concept code that exposes Microsoft

[Furiku]

Summary

 

Github, owned by Microsoft has decided to do something everyone was afraid they might do: remove content that is somehow against the interests of their owner Microsoft.

Vietnamese security researcher released a Proof Of Concept code of the recent massive Hafnium / ProxyLogon Microsoft Exchange server exploit - day after Microsoft had already released their patch to it. Within hours of releasing the POC however, Github (Microsoft) removed it.

This immediately resulted in outcry, as it is industry standard practice for security researchers to publish proof of concept code such as this to better understand the exploit and to help developers write protections against it. Naturally, the same thing can be used by the attackers and the consensus opinion among the security professionals is that the benefits outweigh the negative sides of releasing such code.

 

Censorship of Github is what critics were highlighting as possibility of happening as result of the acquisition back - and it seems the worst fears have come true.

 

Quotes

Quote

Wow, I am completely speechless here. Microsoft really did remove the PoC code from Github. This is huge, removing a security researchers code from GitHub against their own product and which has already been patched.

 

Github naturally had answer of their own take on all of this and their spokeperson confirmed to the outlet Motherboard the following:
 

Quote

We understand that the publication and distribution of proof of concept exploit code has educational and research value to the security community, and our goal is to balance that benefit with keeping the broader ecosystem safe. In accordance with our Acceptable Use Policies, we disabled the gist following reports that it contains proof of concept code for a recently disclosed vulnerability that is being actively exploited.

Surely it's hard to argue that censorship in this that removal is justified as "it's actively exploited" after patch has been released and is being distributed publicly.

There are several instances of them removing POCs in general, but the enforcement of the rule is inconsistent at best and raises some legitimate concerns about possible bias towards protecting its owners interests.

 

My thoughts

This was what everyone was afraid would happen when Microsoft bought Github, that content against Microsofts interests would get censored. It's interesting to see if this case will have any further.. developments as far as Githubs popularity goes. Alternatives do after all exist.

It's hard to judge the positives and negatives of publishing such code, but given that it was published after Microsoft had published their patch to the issue I see no justification of any kind for removal. Just because it's widespread problem that (still) is affecting plenty of exchange servers because their admins are incompetent with patching doesn't mean this should have been removed like it did.

 

Sources

https://arstechnica.com/gadgets/2021/03/critics-fume-after-github-removes-exploit-code-for-exchange-vulnerabilities/

 

https://therecord.media/poc-released-for-microsoft-exchange-proxylogon-vulnerabilities/

 

https://www.vice.com/en/article/n7vpaz/researcher-publishes-code-to-exploit-microsoft-exchange-vulnerabilities-on-github

 

 

[Dragontail]

Well to be fair, this wont get much traction anyway. It is like always, if the censorship does not affect people personally they don give two cents about it. Until it is to late that is :)! Human nature in a nutshell, just look back at history and we are doomed to make the same mistakes that our forfathers did and them before.

 

But it wil be fine, we are just gonna have another 100 years of censorship because that make everyone happy, or?

[Arika]

I'll give them the benefit of the doubt for now, Just because MS released the patch yesterday, doesn't mean all systems have applied the patch against the vulnerability, and if it is being actively exploited it is rather reckless to release the Proof of Concept so early.

 

 

Edit: I also like how you completely left out the thoughts of the researcher in your quotes

 

Quote

Jang said that "it's ok to take down the Proof of Concept," adding that the code he posted wasn't functional out of the box, but required some tweaks. Jang, however, said that his code is "also written from the real PoC, so it will help the real researcher who are looking at this bug."

"The reason of my recent blog post is to warn everyone about the critical of this bug, let them last chance to patch their server before everything go burning!" he said, referring to a Medium post he wrote in Vietnamese.

 

[leadeater]

2 hours ago, Arika S said:

I'll give them the benefit of the doubt for now, Just because MS released the patch yesterday, doesn't mean all systems have applied the patch against the vulnerability, and if it is being actively exploited it is rather reckless to release the Proof of Concept so early.

I guess the counter point to this however is that if it is being actively exploited then the release of PoC code likely isn't going to substantially add to it. It's awfully close to "closing the barn door", too late it's already gone.

[Franck]

Some server are on schedule maintenance and patch. With all companies out there they are installing fix and patch every 2 to 8 weeks. Plus if the IT staff do not actively check Microsoft website every hours for such patch there is no chance in hell they already know about this flaw. AFAIK I do not receive any email from Microsoft about such issues (how would they all my contact info are only available to my reseller. Patches are pushed on my servers every couple days and that depends on the region.

[leadeater]

9 minutes ago, Franck said:

AFAIK I do not receive any email from Microsoft about such issues (how would they all my contact info are only available to my reseller.

Depends, talk to your account rep at your reseller. We have a direct MS account rep and are part of a mailing list where MS directly notifies us of these things ahead of time but those emails are confidential. I doubt you'd be eligible to get them but this is a thing, just not for everyone. Doesn't hurt to ask though.

[Sir Asvald]

M$ strikes again! Their shitty practices always pisses me off. I wish that my work place just migrates to Linux/Ubuntu servers my life would be easy..I am learning how to use Ansible in my home lab.

[StDragon]

6 hours ago, leadeater said:

I guess the counter point to this however is that if it is being actively exploited then the release of PoC code likely isn't going to substantially add to it. It's awfully close to "closing the barn door", too late it's already gone.

Not really. Rival hacking groups hold exploit code to their chest. They might sell it, but they won't give up a financial advantage to exploit other networks.

So I would say by keeping the PoC out of reach, it minimizes the scope of exploitation around the world by would-be hackers.

[leadeater]

5 hours ago, StDragon said:

Not really. Rival hacking groups hold exploit code to their chest. They might sell it, but they won't give up a financial advantage to exploit other networks.

So I would say by keeping the PoC out of reach, it minimizes the scope of exploitation around the world by would-be hackers.

With how widespread this has been reported to be I doubt there's only a single group with the information or realistically could get much worse.

[GoodBytes]

The exploits was actively in use, attacking servers, and the PoC was apparently already used as an attacked. The PoC could have been more professional and responsible, waiting a week would not hurt. I think this researcher was just being an ass to Microsoft. The industry as a whole seems to agree of reporting an issue in private, waiting for for a fix within some resonnable amount of days, wait until it gets deployed to most, and then release documents and proof of concept.

 

That said, I hope the repo will soon return, and not permanently removed.

[Bombastinator]

Let me get the timeline straight here:

 

exploit is discovered

microsoft releases patch

proof of concept code is released

microsoft deletes proof-of-concept code

 

couple of questions:  

1: why is microsoft saying they deleted the code?

2: Does it invalidate their patch?

[StDragon]

4 minutes ago, Bombastinator said:

couple of questions:  

1: why is microsoft saying they deleted the code?

2: Does it invalidate their patch?

I think Microsoft wants to allow more time for people to patch before opening the floodgates to script kiddies. I don't believe this code exploits anymore than what's already been available to patch.

[Arika]

11 minutes ago, Bombastinator said:

Let me get the timeline straight here:

 

exploit is discovered

microsoft releases patch

proof of concept code is released

microsoft deletes proof-of-concept code

 

couple of questions:  

1: why is microsoft saying they deleted the code?

2: Does it invalidate their patch?

Did you even read the articles or even the OP?

 

It was released the day after the patch. 1 day. I don't know about you but no IT department I've worked with has ever been able to turn things around in 1 day

 

And we're talking about EVERY MS exchange customer.

[Brooksie359]

16 hours ago, Dragontail said:

Well to be fair, this wont get much traction anyway. It is like always, if the censorship does not affect people personally they don give two cents about it. Until it is to late that is :)! Human nature in a nutshell, just look back at history and we are doomed to make the same mistakes that our forfathers did and them before.

 

But it wil be fine, we are just gonna have another 100 years of censorship because that make everyone happy, or?

The problem is there is always that argument for everything. Its the slippery slope argument which is generally referred to as not a valid argument as with almost everything there is a balance. Censorship is needed for somethings but it can also be horrible if it goes to far. The same can be said with drinking water for people. Its about to what degree and where the healthy limits are. For this I don't think we are near the territory where it's unhealthy Censorship as it is a vulnerabilit that we are talking about so there is valid reason to remove it from github. 

[StDragon]

5 minutes ago, Arika S said:

I don't know about you but no IT department I've worked with has ever been able to turn things around in 1 day

I did, but then I'm an IT army of one

 

But valid point, not many IT departments can turn that around so quickly. Small businesses however can as they're more agile and empowered to act with little bureaucratic oversight.

[Bombastinator]

7 minutes ago, Arika S said:

Did you even read the articles or even the OP?

 

It was released the day after the patch. 1 day. I don't know about you but no IT department I've worked with has ever been able to turn things around in 1 day

Read the OP.  Didn’t read the article. So you are confirming the timeline?  The phrase “0day exploit” comes to mind.  I’ve heard of one hour turn around being frequent for 0day exploit patches. “1 day” can also be a very vague number.  24hours or less with less being as little as minutes depending on when the patch was released. If this was a theoretical and not exploited vulnerability it’s not a zero day exploit though.  I don’t know whether it was or not.  Is there a benefit to releasing proof of concept code first?  If so, the time before release is going to shorten and shorten.  Eventually someone is going to put their foot over the line by a hair.

Edited March 20, 2021 by Bombastinator

[dalekphalm]

At first I was upset at this, until I read that they released the PoC literally a day after the patch was released.

 

When was the exploit first discovered by researchers? Remember, Project Zero gives you 90 days. Has 90 days passed yet?

[divito]

People are making this out to be way more salacious than it is. 

17 minutes ago, dalekphalm said:

When was the exploit first discovered by researchers? Remember, Project Zero gives you 90 days. Has 90 days passed yet?

Well, to be fair, PZ mentions releasing details to their database once a patch lists the bug/issue (which technically happened in this case), or if 90 days has passed since being notified with no results (as seen with Microsoft before).

 

That being said, I don't think that's responsible enough. As anyone in IT knows, patches take time to work their way through all the variability of companies and their IT teams (or lack thereof in many cases). Giving the patch more time to be deployed is more reasonable, especially given the scope and severity.

[leadeater]

37 minutes ago, dalekphalm said:

At first I was upset at this, until I read that they released the PoC literally a day after the patch was released.

 

Yea I also thought it was longer, considering how long it's been since the patch and this article. PoC day after patch release, yea that's not exactly responsible.