Over the last nearly two weeks, we have seen Microsoft deploying emergency patches and telling companies to secure Exchange servers due to Chinese hackers
exploiting a 0-day vulnerability. When vulnerabilities such as this are published, security researchers and hackers alike jump on the opportunity to develop proof-of-concept code and working exploits. Microsoft is not a fan of this, though, as it has removed a proof-of-concept from its code-repository site, GitHub
As the situation has developed, security researchers have delved into the Microsoft Exchange problem to replicate other hackers' work and complete research on what happened. One of these researchers, Nguyen Jang, posted their proof-of-concept code to Microsoft-owned GitHub which anyone could have used to hack Microsoft Exchange servers. Jang explained, however, that the code was not functional out of the box, and that it would have needed tweaks before working. Jang posted an example of the code working on his YouTube channel, shown below.
Whether the code worked out of the box or not, Microsoft went and took it down anyhow and sent Jang an email stating as much
. A GitHub spokesperson subsequently confirmed that the company removed the code, citing the potential damage and "Acceptable Use Policies." The "Acceptable Use Policies" explain that users shall not share or host any content which "contains or installs any active malware or exploits." According to a Microsoft update
on Monday, hackers are actively exploiting the Exchange vulnerability, which seems fairly clear-cut.
While Jang may be OK with letting the code be taken down, other security researchers treat this as something of a canary in a coal mine. Dave Kennedy, founder of TrustedSec and Binary Defense, tweeted that this move left him speechless and has since decided to look at moving away from GitHub entirely. On the other side of the coin, tens of thousands of Exchange servers remain unpatched but are likely from smaller organizations that should probably move infrastructure to the cloud anyhow.
In any case, it is certainly an interesting move from Microsoft, and it raises some interesting questions. Does Microsoft have a right to determine when proof-of-concept code can be uploaded and researched? At least on GitHub, the company would have some modicum of control, whereas the researchers will now only go to other sharing services where people cannot see the research as easily. Either way, do you side with Microsoft on this one or the researchers? Let us know what you think of this curious situation in the comments below.