'Yan kwanaki da suka gabata Kamfanin Microsoft ya samu kakkausar suka ta masu yawa ci gaba bayan GitHub share lambar daga musayar xploit Kuma wannan duk da cewa ga mutane da yawa zai zama mafi mahimmancin abu, kodayake ainihin matsalar ita ce cewa PoC xplots ne don abubuwan da aka lalata, waɗanda ake amfani da su azaman ma'auni tsakanin masu binciken tsaro.
Waɗannan suna taimaka musu fahimtar yadda hare-hare ke aiki don haka za su iya inganta ingantattun hanyoyin tsaro. Wannan aikin ya fusata yawancin masu binciken tsaro, yayin da aka fitar da samfurin amfani bayan da aka fito da facin, wanda hakan al'ada ce.
Akwai sashi a cikin dokokin GitHub wanda ya hana sanya lambar ƙira aiki ko amfani (ma'ana, kai hari ga tsarin masu amfani) a wuraren ajiya, da kuma amfani da GitHub a matsayin dandamali don isar da abubuwa masu ɓarna da mummunar hanya yayin hare-hare.
Koyaya, wannan ƙa'idar ba'a taɓa amfani da ita azaman samfura ba. lambar da masu bincike suka buga waɗanda aka buga don nazarin hanyoyin kai hari bayan mai siyar ya saki facin.
Tunda ba a cire irin wannan lambar ba, Microsoft ya hango hannun jari na GitHub kamar amfani da kayan aikin gudanarwa don toshe bayani game da yanayin rauni a cikin kayan ka.
Masu sukar sun zargi Microsoft a sami daidaitattun abubuwa biyu kuma don tantance abun ciki yana da matukar mahimmanci ga masu binciken tsaro saboda kawai abin da ke ciki yana lalata amfanin Microsoft.
A cewar wani memba na kungiyar Google Project Zero, aikin wallafa dabarun amfani da su daidai ne, kuma fa'idodin sun fi karfin hadarin, tunda babu wata hanyar da za a raba sakamakon binciken tare da wasu kwararru don kada wannan bayanin ya fada hannun na maharan.
Mai bincike Kryptos Logic yayi ƙoƙarin yin jayayya, yana nuna cewa a cikin halin da ake ciki inda har yanzu akwai sabobin Microsoft Exchange tsofaffi sama da dubu 50 akan hanyar sadarwar, Buga samfurorin amfani don aiwatar da hare-hare da alama abin shakku ne.
Lalacin da sakin farko na abubuwan amfani zai iya haifar da fa'ida ga masu binciken tsaro, saboda irin waɗannan abubuwan suna sanya haɗari ga adadi mai yawa na sabobin waɗanda ba a girka abubuwan sabuntawa ba tukuna.
Wakilin GitHub yayi tsokaci game da cire shi a matsayin take doka na sabis (Manufofin Amfani da Amincewa) kuma sun ce sun fahimci mahimmancin wallafe-wallafen amfani da samfura don dalilai na ilimi da bincike, amma kuma sun fahimci haɗarin lalacewar da za su iya haifarwa a hannun maharan.
Saboda haka, GitHub yayi ƙoƙari ya sami daidaituwa mafi kyau tsakanin buƙatu na al'umma gudanar da bincike kan tsaro da kuma kariya ga wadanda abin ya shafa. A wannan halin, an gano cewa wallafa wani amfani da ya dace da kai hari, matukar dai akwai adadi mai yawa na tsarin da har yanzu ba a sabunta su ba, ya keta dokokin GitHub.
Abin lura shi ne cewa hare-haren sun fara ne a watan Janairu, tun kafin a saki facin da kuma fitar da bayanai game da yanayin rauni (rana ta 0). Kafin samfurin da aka yi amfani da shi ya buga, an riga an kai hari kan sabobin 100, wanda a ciki aka shigar da ƙofar baya don kula da nesa.
A cikin samfurin GitHub mai nisa, samfurin CVE-2021-26855 (ProxyLogon) ya nuna, yana ba ka damar cire bayanai daga mai amfani da son zuciya ba tare da tantancewa ba. A haɗe tare da CVE-2021-27065, yanayin rauni ya ba ku damar gudanar da lambarku a kan sabar tare da haƙƙin mai gudanarwa.
Ba duk abubuwan ci gaba aka cire ba, misali, saukakkiyar sigar wani amfani da ƙungiyar GreyOrder ta haɓaka yana kan GitHub.
Bayani akan amfani yana nuna cewa asalin GreyOrder an cire shi bayan an ƙara ƙarin aiki zuwa lambar don jera masu amfani a kan uwar garken wasiku, wanda za'a iya amfani dashi don aiwatar da manyan hare-hare akan kamfanoni masu amfani da Microsoft Exchange.