Microsoft ya cire lambar (kwafi) daga GitHub tare da amfani da samfuri wanda ke nuna ƙa'idar mummunan rauni a cikin Microsoft Exchange. Irin wannan aikin ya haifar da fushi a tsakanin masu binciken tsaro da yawa, kamar yadda aka buga samfurin amfani bayan sakin facin, wanda al'ada ce ta kowa.
Akwai wani sashe a cikin dokokin GitHub wanda ya haramta sanya lambar mugun aiki ko cin zarafi (wato, kai hari ga tsarin masu amfani) a cikin ma'ajiya, da kuma amfani da GitHub a matsayin dandamali don isar da fa'ida da malware lokacin da ake aiwatar da ɗauka. fitar hare-hare. Amma a baya ba a yi amfani da wannan ƙa'idar ba ga ƙirar ƙididdiga waɗanda masu bincike suka shirya waɗanda aka buga don nazarin hanyoyin kai hari bayan facin da wani mai siyarwa ya fitar.
Tunda ba a cire irin wannan lambar ba, ana ganin ayyukan GitHub kamar yadda Microsoft ke amfani da albarkatun gudanarwa don toshe bayani game da lahani a cikin samfurin sa. Masu sukar sun zargi Microsoft da ma'auni biyu da tace abubuwan da ke da matukar sha'awa ga al'ummar binciken tsaro kawai saboda abubuwan da ke ciki suna cutar da muradun Microsoft. A cewar wani memba na kungiyar Google Project Zero, al'adar buga samfurori na amfani ya dace kuma amfanin ya zarce kasada, tun da babu yadda za a raba sakamakon bincike tare da wasu kwararru ba tare da wannan bayanin ya fada hannun maharan ba.
Wani mai bincike daga Kryptos Logic yayi ƙoƙarin ƙin yarda, yana nuna cewa a cikin yanayin da har yanzu akwai sabbin sabar Microsoft Exchange sama da 50 da ba a sabunta su akan hanyar sadarwar ba, buga samfuran amfani da aka shirya don kai hari yana da shakku. Lalacewar da farkon buga abubuwan amfani na iya haifarwa ya zarce fa'ida ga masu binciken tsaro, tunda irin wannan cin zarafi na yin barazana ga adadi mai yawa na sabar da ba su sami lokacin shigar da sabuntawa ba tukuna.
Wakilan GitHub sun yi sharhi game da cirewar a matsayin cin zarafin sharuɗɗan sabis (Sharuɗɗan Amfani da Karɓar) kuma sun bayyana cewa sun fahimci mahimmancin buga samfuran amfani don bincike da dalilai na ilimi, amma kuma sun fahimci haɗarin daga lalacewar da za su iya haifarwa a cikin hannun maharan. Saboda haka, GitHub yana ƙoƙarin nemo madaidaicin daidaito tsakanin buƙatun al'ummomin bincike na tsaro da kuma kare waɗanda abin ya shafa. A wannan yanayin, buga wani amfani da ya dace da kai hare-hare, muddin akwai adadi mai yawa na tsarin da ba a sabunta su ba, an gane shi da keta dokokin GitHub.
Abin lura ne cewa an fara kai hare-haren ne a cikin watan Janairu, tun kafin a fitar da facin da kuma bayyana bayanan kasancewar raunin (0-day). Kafin a buga samfurin amfani, an riga an kai hari kusan sabar dubu 100, wanda aka sanya a baya don sarrafa nesa.
Wani samfurin amfani na GitHub mai nisa ya nuna raunin CVE-2021-26855 (ProxyLogon), wanda ke ba da damar cire bayanan mai amfani na sabani ba tare da tantancewa ba. Tare da CVE-2021-27065, raunin kuma ya ba da damar yin amfani da lambar akan sabar tare da gata na gudanarwa.
Ba duk abubuwan da aka cire ba, alal misali, sauƙaƙan sigar wani cin zarafi da ƙungiyar GreyOrder ta ci gaba da kasancewa akan GitHub. Bayanan amfani ya bayyana cewa an cire amfani da GreyOrder na asali bayan ƙara ƙarin ayyuka zuwa lambar da ke ƙididdige masu amfani akan sabar wasiƙa, wanda za a iya amfani da shi don ƙaddamar da yawan hare-hare kan kamfanoni masu amfani da Microsoft Exchange.
source: budenet.ru