Github criticized for removing exploit code Exchange vulnerabilities

Github has come under fire for taking exploit code for vulnerabilities in Microsoft Exchange servers offline. The code was published after Microsoft released a patch for the vulnerabilities, but was taken offline to the annoyance of users.

The code was put online by independent security researcher Nguyen Jang. With some minor adjustments, this code can hack Exchange servers without a patch. Github took the code offline within a few hours of its publication, according to Jang.

This is sensitive because Microsoft owns Github. Several users were critical of Github’s action. For example, security expert Dave Kennedy. He threatens in a message on Twitter to take his code away from Github because he finds the company’s action ridiculous.

A Github spokesperson confirmed in a statement to Motherboard that the code has been taken offline by the company. The spokesperson noted that “While they understand that publishing and distributing a proof-of-concept exploit is of educational and scientific value, it must be balanced with the security of the entire ecosystem.” In this case, Jang’s code would threaten the servers that have not yet installed the new patch.

The vulnerabilities in Microsoft Exchange servers were discovered early this year. It turned out that the vulnerabilities were actively being exploited by Chinese hackers. It is estimated that hundreds of thousands of servers have been affected. These are four zero-day vulnerabilities that were in the 2013, 2016 and 2019 versions of Exchange Server. The vulnerabilities were patched by Microsoft on March 2.