back to article Microsoft's GitHub under fire after disappearing proof-of-concept exploit for critical Microsoft Exchange vuln

On Wednesday, shortly after security researcher Nguyen Jang posted a proof-of-concept exploit on GitHub that abuses a Microsoft Exchange vulnerability revealed earlier this month, GitHub, which is owned by Microsoft, removed code, to the alarm of security researchers. The PoC code, something short of an actual functioning …

  1. Anonymous Coward
    Anonymous Coward

    What. A. Shock.

    I'd be surprised by this development, but the only thing stopping me is my complete lack of surprise.

    The thing that does actually surprise me is that there are people who still use github after the ms aquisition. Did people not see this type of bullshit coming?

    1. Zippy´s Sausage Factory

      Re: What. A. Shock.

      I deleted my GitHub account when they bought it.

      I've since created a new one, mainly so I can use it to moan about how inaccurate their documentation is.

      That said, I suspect they won't be hosting it much longer on GitHub, given the UserVoice shenanigans they're starting on now.

      1. shortfatbaldhairyman

        Re: What. A. Shock.

        Yup. Same here. Deleted my github account the day I read about it.

        Now MS has a reputation amongst the younger generation as a "benevolent" and "kindly" organisation. Their words, not mine. They know nothing about the 90s. Nephews and nieces. Just kill me now.

        1. Binraider

          Re: What. A. Shock.

          Benevolent and MS aren't words I'd ever associate even remotely. Monopolistic, undirected, incoherent mush; that's perhaps more like it. 90's MS might have been "legal evil", but I have a lot of time for DOS / 3.1. Comprehensible systems on a scale that could realistically be user controlled, that in the main, did exactly what you told them to do.

          There are small pockets of MS that do good work, usually where they have gobbled up smaller outfits until the original idea is tarnished beyond belief. Things like VSCode (allegedly everyone's favourite?) or SysInternals.

          1. ChrisC

            Re: What. A. Shock.

            Pretty much my feelings towards MS as well - I've never had much time for MS either in terms of their technical prowess or their business behaviour, but at least in the old days of Gates/Ballmer there was a level of consistency in their approach - their products were in the main workmanlike if nothing earth shattering, and got on with the job without making too many assumptions about who actually owned the PC they were being used on. And when they did do something particularly well, by god was it good - from the first time I encountered one at the tail end of 1994, an Intellimouse was the only mouse I'd be happy to see connected to any PC I had to use until I discovered the delights of Logitech rodents about a decade later.

            These days they're trying, at the corporate level, to put on a veneer of huggy-feely niceness, whilst at the OS level they're making ever more presumptions about who's in charge of the PC with every update, which leads to an ever greater discrepancy between what their left and right hands are doing. When you had more native control over what your desktop environment looked like in Win3.1 than in Win10, and when the OS then didn't place arbitrary roadblocks in the way of third parties trying to provide retheming tools to allow the actual owner of the PC to set up their environment in whichever way THEY preferred it to be, rather than forcing everyone to use the environment that MS thought was best for us all, then something has gone badly wrong in the balance of power between those who merely provide the OS and those who sit in front of it for hours at a time, day in day out.

          2. A.P. Veening Silver badge

            Re: What. A. Shock.

            Benevolent and MS aren't words I'd ever associate even remotely.

            I do, closely even, but I expect there to be a negation as well.

        2. Michael Wojcik Silver badge

          Re: What. A. Shock.

          The thing is, even if Microsoft were a benevolent organization, there's an unavoidable conflict of interest here. Some manager somewhere will decide he (or she, but I'm laying odds on "he" most of the time) doesn't like something on GitHub and will order an underling to get it removed, without having that decision confirmed by anyone higher up.

          Corporate cultures aren't monolithic, and don't determine the behavior of every employee at every moment. At its worst, Microsoft still had good people doing good work; at its theoretical best, it still can't be trusted to police GitHub in a fair and proportionate manner. There's simply too much opportunity for a bad actor to intervene unfairly.

          I was never a fan of GitHub in the first place (these public central repositories are using git wrong, and I find that irksome), but I certainly wouldn't be interested in using it now for anything I control.

    2. oiseau Silver badge
      Facepalm

      Re: What. A. Shock.

      In a book about Freud’s Theory and Method, a chap by the name of F.S. Perls quoted "a great astronomer" as saying:

      “Two things are infinite, as far as we know – the universe and human stupidity.”

      It is not known if Perls was referring to Einstein or someone else.

      Both are long gone so it is quite probable that we will never know for sure.

      But with respect to human stupidity, the evidence is at hand.

      Also applies to the use of GitHub.

      O.

      1. Loyal Commenter Silver badge

        Re: What. A. Shock.

        This quote always annoyed me.

        We actually have no way of knowing if the universe is infinite or not. Since it is demonstrably expanding (red-shifts can be measured so that's not really at question), things further from us move away from us faster. Since the speed of light is also constant and known, we can't see beyond the point at which stuff is moving away from us, relatively, faster than the light from it can reach us. This imposes a "horizon" we can't see beyond, so we can't say one way or another whether the universe is infinte, from empirical observation.

        Big bang theory, on the other hand, which is a perfectly reasonable extrapolation from the observable expansion of the universe, suggests that the universe expanded from a point. Since there's no way to get from a point to infinity without an infinite amount of expansion, it's a fair conclusion that the universe is not, in fact infinite, although we can't observe this to confirm it.

        There are obvious problems with infinities (and indeed with getting something from nothing), and our understanding of the early universe is limited by what we can actually observe, although we can fairly accurately measure its age as 13.77 Bn years. By comparison, the age of the Earth is around a third of that at 4.5 Bn years. It always surprises me that our planet should have existed for an appreciable fraction of the lifetime of the universe, I get the feeling that the universe itself ought to be a lot, lot older.

        1. Cuddles Silver badge

          Re: What. A. Shock.

          "There are obvious problems with infinities"

          The biggest problem with infinities is our ability to understand them. As with quantum physics, if you think you understand it, you're probably wrong. And as is so often with physics outside the familiar human scale, this tends to lead to our intuitive understanding getting things completely wrong. Without going into details on all your points, I'll just note that the Big Bang is entirely compatible with an infinite universe. That is, after all, why people are still arguing about whether the universe is infinite or not, despite everyone involved being pretty sure the Big Bang did happen.

          I will correct you a bit on the horizon thing though. The horizon defined by the point where things start moving away from us faster than light is called the Hubble horizon, and it is not related to the size of the observable universe. The size of the observable universe is defined by the particle or cosmological horizon, which is simply a measure of how far light has been able to travel since the universe began. Obviously the past expansion of the universe affects this, but whether it's currently expanding or not, and whether it's accelerating or not, is completely irrelevant. It's possible for an object to be beyond the Hubble horizon, but still be inside the particle horizon.

      2. Anonymous Coward
        Anonymous Coward

        Re: What. A. Shock.

        I always heard the quote attributed to Einstein, and I always heard it as:

        "Only two things are infinite: the universe, and human stupidity, and I'm not sure about the former".

    3. Anonymous Coward
      Anonymous Coward

      Re: What. A. Shock.

      Indeed.

      Microsoft meme...

      Do as I say, don't do as I do. So, shut up and don't complain. We know who you are and where you live!

  2. Mark192 Silver badge

    Error by MS?

    “Other PoC code for the same CVE was still available on GitHub"

    Given the documentation was in Vietnamese, could it be that they didn't realise it was just a PoC like the others they'd left up?

    1. Anonymous Coward
      Anonymous Coward

      Re: Error by MS?

      aah, the good old "it's incompetence, not malice!".

      It amuses me greatly that companies keep saying what boils down to "We're not evil, we're just terrible at our jobs. Buy our products!"

      1. sev.monster Bronze badge

        Re: Error by MS?

        Yeah, in my opinion, incompetence is worse than malice. Like, even if what someone does is malicious in nature, at least you can appreciate the beauty of their work in a positive light. If someone is just patently stupid and that results in a bad outcome, then there's nothing to admire besides their astounding mental capacity.

        Of course, if someone is incompetent and malicious, then that's what we in the industry call two candles short of a summoning circle—either hilarious to watch and comfortable in your relatively assured safety, or running for your life because they just released the antichrist.

        1. Anonymous Coward
          Anonymous Coward

          Re: Error by MS?

          Agreed.

          we in the industry call two candles short of a summoning circle

          Haha, nice.

          I call that "a government contractor" ;)

        2. Blazde Bronze badge

          Re: Error by MS?

          Carlo Cipolla's well reasoned 5th law of Human Stupidity: Incompetence is more damaging to society than malice.

          In general also malicious acts are more predictable so we have a hope of countering them or mitigating their effects. Trying to thwart incompetence in all it's bewildering permutations is futile.

    2. Ben Tasker Silver badge

      Re: Error by MS?

      Perhaps they asked Cortana to translate it and got a completely different meaning as a result?

    3. bombastic bob Silver badge
      Devil

      Re: Error by MS?

      there are more than enough people in this country that speak Vietnamese. it would be no trouble at all to get a translation from a native speaker that is also fluent in English. A lot of these native-Vietnamese-speaking people are software gurus and many probably work for Micros~1. One guy I worked with, a PFY at the time, went on to work for Sony, on Playstation development last I heard. i think it was on his Linked-in page. A 'dream job' for a gamer.

      more than likely, as stated in the article: they have elected themselves the arbiters of what is 'responsible.'

      References to "Cancel Culture" need not be explicitly stated.

  3. YetAnotherJoeBlow Bronze badge

    Simple

    If POCs were not published, vendors would not fix their products. Here I thought everyone knew that, silly me.

  4. Anonymous Coward
    Anonymous Coward

    The Commissar Vanishes

    The Commissar Vanishes

  5. pmelon

    ABM

    ‘Anything but Microsoft’ seems like a sound mantra at times like this.

    Kennedy was also asking why it’s okay that MS sat on this issue while it was being exploited for two months. I think more people need to ask that.

    1. Anonymous Coward
      Anonymous Coward

      Re: ABM

      Probably because intelligence agencies had not finished using it :)

  6. Pascal Monett Silver badge
    Thumb Down

    "Jang's PoC code pertains to a recently disclosed vulnerability that's being actively exploited"

    I do not see that as a valid excuse. The PoC is not functional. Since the vuln is already being exploited, miscreants don't need that code to guide them, they already have their own.

    1. Danny 14 Silver badge

      Re: "Jang's PoC code pertains to a recently disclosed vulnerability that's being actively exploited"

      Indeed. It was a zero day patch, not a patch based on PoC. The hack was already active and in use.

      Any admins that havent patched by now shouldnt be running their own email server. Just have a look at all the 404s in your logs for the exploit pages, thise are probably now being looked for by the script kiddies.

  7. Howard Sway

    Smart move

    Kicking security researchers off your platform, who are trying to spread awareness of how vulnerabilities can be exploited, and in the process help you to improve your own products as well as everyone else's.

    Once you've kicked enough of them off, the researchers will probably feel the need to generalise their discoveries that they've made in your product, and publish them without naming the product, leaving you to work out at huge cost if they're present in all your products, but still helping others to avoid or remedy the new classes of exploits they've found.

    1. Steve Davies 3 Silver badge

      Re: Smart move

      If they keep on doing this then it won't be long before those researchers decide NOT to tell MS about the Zero-days etc that they discover on their crappiness... sorry apology for software.

      Treat them nicely and they'll play ball with you. Don't and... be prepared to suffer the consequences.

  8. Grease Monkey Silver badge

    "Other PoC code for the same CVE was still available on GitHub at the time this article was filed."

    So if other PoC code is still up then this clearly isn't a blanket policy from MS to take down PoC code affecting their products. And yet the article does its best to state that's exactly what it is.

    1. CrackedNoggin

      You ought to inform the author that you have discovered --- "Other PoC code for the same CVE was still available on GitHub at the time this article was filed." ---- so the author can add it to the article. I'm sure they would be appreciative.

  9. Anonymous Coward
    Anonymous Coward

    As my grandmother used to say

    Those who pay the orchestra will get to chose the tunes. Get over it!

    1. Janne Smith

      Re: As my grandmother used to say

      When they take down PoC code that impacts their own products, but not those of competitors, then I expect they'll be sued to buggery. And quite rightly too.

  10. CyberDevons

    MSFT nmpa Tool Too!

    One of Microsofts own blogs directed to a github page that hosted an nmap scanning tool and they even decided to nuke this too :(

  11. Anonymous Coward
    Anonymous Coward

    Time to pick a side

    In the red corner it's Russia, China, Norks

    In the blue corner us

  12. chololennon
    Thumb Down

    Welcome to the big companies censorship

    Another case and counting... sadly, nowadays, they have more power than states. Also, at the current pace of (big) companies buying other (smaller) companies, in a near future, just one, and only one of them, will rule the whole world.

    1. Kaki

      Re: Welcome to the big companies censorship

      Welcome to E-Corp

      1. chololennon
        Devil

        Re: Welcome to the big companies censorship

        "Welcome to E-Corp"

        Yeah, actually that name crossed my mind when I was writing the original comment. The Mr. Robot's paranoia is actually mine now. How many child companies have Disney, Coca-Cola, Procter & Gamble... etc etc? this list of parent companies is still big, but it's shrinking very quickly. Diversification across several orthogonal markets is really dangerous.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021