I-Microsoft isuse ikhodi (ikhophi) ku-GitHub ngokuxhashazwa kwe-prototype ebonisa isimiso sokuba sengozini okubalulekile ku-Microsoft Exchange. Isenzo esinjalo sibangele ukuthukuthela phakathi kwabacwaningi abaningi bezokuphepha, njengoba i-prototype yokuxhaphaza yanyatheliswa ngemva kokukhululwa kwesiqephu, okuwumkhuba ovamile.
Kunesigaba somthetho emithethweni ye-GitHub esivimbela ukubekwa kwekhodi enonya esebenzayo noma ukuxhashazwa (okungukuthi, ukuhlasela izinhlelo zabasebenzisi) kumakhosombe, kanye nokusetshenziswa kwe-GitHub njengenkundla yokuletha ukuxhashazwa nohlelo olungayilungele ikhompuyutha uma uphakathi kwenqubo yokuphatha. ukuhlasela. Kodwa lo mthetho awuzange usetshenziswe ngaphambilini kuma-code prototypes aphethwe abacwaningi ashicilelwe ukuze kuhlaziywe izindlela zokuhlasela ngemva kokukhishwa kwepheshi ngumthengisi.
Njengoba ikhodi enjalo ngokuvamile ayisuswa, izenzo ze-GitHub zabonwa njengokusebenzisa kwe-Microsoft insiza yokuphatha ukuvimba ulwazi mayelana nokuba sengozini emkhiqizweni wayo. Abagxeki basole i-Microsoft ngezindinganiso ezimbaxambili kanye nokuhlola okuqukethwe okuthakaselayo kakhulu umphakathi wocwaningo lwezokuphepha ngoba nje okuqukethwe kulimaza izithakazelo ze-Microsoft. Ngokusho kwelungu lethimba le-Google Project Zero, umkhuba wokushicilela ama-prototypes afanelekile futhi izinzuzo zidlula ubungozi, njengoba ingekho indlela yokwabelana ngemiphumela yocwaningo nabanye ochwepheshe ngaphandle kokuthi lolu lwazi luwele ezandleni zabahlaseli.
Umcwaningi ovela ku-Kryptos Logic uzame ukuphikisa, ekhomba ukuthi esimweni lapho kusekhona amaseva we-Microsoft Exchange angaphezu kuka-50 angakabuyekezwa kunethiwekhi, ukushicilela ama-prototypes okuxhaphaza alungele ukuhlaselwa kubonakala kungangabazeki. Ukulimala okungadalwa ukushicilelwa kwangaphambi kwesikhathi kwemisebenzi kudlula inzuzo yabacwaningi bezokuphepha, njengoba izenzo ezinjalo zibeka engcupheni inombolo enkulu yamaseva angakabi naso isikhathi sokufaka izibuyekezo.
Abamele i-GitHub baphawule ngokususwa njengokwephulwa kwemigomo yesevisi (Izinqubomgomo Zokusetshenziswa Okumukelekayo) futhi bathi bayakuqonda ukubaluleka kokushicilela ama-prototypes okuxhaphaza ngezinjongo zocwaningo nezinjongo zemfundo, kodwa futhi bayayibona ingozi yomonakalo abangawubangela izandla zabahlaseli. Ngakho-ke, i-GitHub izama ukuthola ibhalansi efanele phakathi kwezithakazelo zomphakathi wocwaningo lwezokuphepha kanye nokuvikelwa kwabangase babe izisulu. Kulokhu, ukushicilelwa kokuxhashazwa okufanele ukuhlasela, inqobo nje uma kunenani elikhulu lezinhlelo ezingakabuyekezwa, kuqashelwa njengokwephula imithetho ye-GitHub.
Kuyaphawuleka ukuthi ukuhlaselwa kwaqala ngoJanuwari, isikhathi eside ngaphambi kokukhululwa kwesiqephu kanye nokudalulwa kolwazi mayelana nokuba sengozini (0-day). Ngaphambi kokuthi kushicilelwe i-prototype yokuxhaphaza, cishe amaseva ayizinkulungwane eziyi-100 ayesehlaselwe, lapho kwafakwa khona i-backdoor yesilawuli kude.
I-prototype ye-GitHub ekude ibonise ukuba sengozini kwe-CVE-2021-26855 (ProxyLogon), okuvumela ukukhipha idatha yomsebenzisi ngokungafanele ngaphandle kokuqinisekisa. Ngokuhlangana ne-CVE-2021-27065, ukuba sengozini kuphinde kwavumela ikhodi ukuthi isetshenziswe kuseva enamalungelo okuphatha.
Akukona konke ukuxhaphaza okususiwe, isibonelo, inguqulo eyenziwe lula yokunye ukuxhaphaza okuthuthukiswe ithimba le-GreyOrder ihlala ku-GitHub. Inothi lokuxhaphaza lithi ukuxhashazwa kwangempela kwe-GreyOrder kususiwe ngemva kokwengeza ukusebenza okwengeziwe kukhodi ebala abasebenzisi kuseva yemeyili, engase isetshenziselwe ukuqalisa ukuhlasela ngobuningi ezinkampanini ezisebenzisa i-Microsoft Exchange.
Source: opennet.ru