Zimbalwa izinsuku ezedlule IMicrosoft ithole uchungechunge lwezigxeko ezinamandla ngabathuthukisi abaningi ngemuva kwe-GitHub susa ikhodi ku-Exchange xploit Futhi ngukuthi yize kwabaningi kungaba yinto enengqondo kunazo zonke, yize inkinga yangempela ukuthi bekungama-PoC xplots obuthakathaka obunamachashazi, asetshenziswa njengezinga eliphakathi kwabaphenyi bezokuphepha.
Lokhu kubasiza ukuthi baqonde ukuthi ukuhlaselwa kusebenza kanjani ukuze bakwazi ukwakha izivikelo ezingcono. Lesi senzo sicasule abacwaningi abaningi bezokuphepha, njengoba uhlobo lokuxhaphaza lukhishwe ngemuva kokukhishwa kwesiqeshana, okuyinto ejwayelekile.
Kunesigatshana emithethweni yeGitHub esivimbela ukubekwa kwekhodi enonya okusebenzayo noma okuxhaphazayo (okungukuthi, ukuhlasela amasistimu wabasebenzisi) ezinqolobaneni, kanye nokusetshenziswa kweGitHub njengengxenyekazi yokuletha ukuxhaphaza nekhodi enonya ngesikhathi sokuhlaselwa.
Noma kunjalo, lo mthetho awukaze usetshenziswe ngaphambili kuma-prototypes. yekhodi eshicilelwe ngabaphenyi okushicilelwe ukuhlaziya izindlela zokuhlasela ngemuva kokuthi umthengisi ekhiphe isichibi.
Njengoba leyo khodi imvamisa ingasuswa, IMicrosoft ibone amasheya eGitHub njengokusebenzisa insiza yokuphatha ukuvimba imininingwane mayelana nokuba sengozini kumkhiqizo wakho.
Abagxeki basola iMicrosoft ukuba nezinga eliphindwe kabili futhi ukucubungula okuqukethwe onentshisekelo enkulu emphakathini ocwaninga ezokuphepha ngoba nje okuqukethwe kuyingozi kuzintshisekelo zeMicrosoft.
Ngokusho kwelungu lethimba le-Google Project Zero, umkhuba wokushicilela izindlela zokuxhaphaza ulungile, futhi izinzuzo zidlula ingozi, ngoba ayikho indlela yokwabelana ngemiphumela yocwaningo nabanye ochwepheshe ukuze lolu lwazi lungangeni ezandleni labahlaseli.
Umcwaningi UKryptos Logic uzame ukuphikisana, ukuveza ukuthi esimeni lapho kusenamaseva we-Microsoft Exchange angaphezu kwezinkulungwane ezingama-50 kunethiwekhi, ukushicilela izindlela zokuziphatha ezilungele ukuhlasela kubonakala kungabazisayo.
Ukulimala okukhishwa kusenesikhathi kokuxhaphaza kungadala ukwedlula inzuzo kubaphenyi bezokuphepha, ngoba lokho kuhlukumeza kubeka engozini inani elikhulu lamaseva okungafakwanga izibuyekezo kuwo.
Abameli beGitHub baphawule ngokususwa njengokwephula umthetho yensizakalo (Izinqubomgomo Zokusebenzisa Ezamukelekayo) futhi bathi bayakuqonda ukubaluleka kokushicilela ukuxhaphaza ama-prototypes ngezinjongo zokufundisa nokucwaninga, kepha futhi bayayiqonda ingozi yomonakalo abangayidala ezandleni zabahlaseli.
Ngakho-ke, IGitHub izama ukuthola ibhalansi efanelekile phakathi kwezintshisekelo zomphakathi uphenyo ngezokuphepha kanye nokuvikelwa kwabangaba izisulu. Kulokhu, kutholakale ukuthi ukushicilela ukuxhaphaza okulungele ukuhlaselwa, inqobo nje uma kunenombolo enkulu yezinhlelo ezingakabuyekezwa, kwephula imithetho yeGitHub.
Kuyaphawuleka ukuthi ukuhlaselwa kwaqala ngoJanuwari, ngaphambi kokukhishwa kwesiqephu nokudalulwa kolwazi mayelana nobungozi (usuku 0). Ngaphambi kokushicilelwa kwesibonelo sokuxhashazwa, kwakusele kuhlaselwe cishe amaseva ayi-100, lapho kwafakwa khona umnyango wangemuva wokulawula okukude.
Kuhlobo olude lokusebenzisa i-GitHub, ubungozi be-CVE-2021-26855 (ProxyLogon) bukhonjisiwe, okukuvumela ukuthi ukhiphe idatha kumsebenzisi ongenangqondo ngaphandle kokufakazela ubuqiniso. Ngokuhlanganiswa ne-CVE-2021-27065, ukuba sengozini futhi kukuvumele ukuthi usebenzise ikhodi yakho kuseva enamalungelo okuphatha.
Akukona konke ukuxhaphaza okususiwe, ngokwesibonelo, inguqulo eyenziwe lula yokunye ukuxhashazwa okwenziwe yiqembu leGreyOrder ihlala ku-GitHub.
Inothi lokuxhashazwa likhombisa ukuthi ukuxhashazwa kwasekuqaleni kweGreyOrder kwasuswa ngemuva kokufakwa kokusebenza okungeziwe kukhodi ukufaka uhlu lwabasebenzisi kuseva yeposi, okungasetshenziswa ukwenza ukuhlasela okukhulu ezinkampanini ezisebenzisa iMicrosoft Exchange.