Badlock critical vulnerability: nice logo, no details.


Engineers from Microsoft and the Samba Team are reportedly working together to fix a critical vulnerability in Windows and Samba software – patches are expected in three weeks time, on 12 April.

The overlap between Windows and Samba is the SMB/CIFS protocol and Active Directory.

Networks of Windows computers use SMB/CIFS to share access to files and printers, and use Active Directory for directory services including authentication and authorisation.

Linux, BSD and other Unix-like operating systems use Samba software to integrate into Windows networks, either as domain members or domain controllers.

No details about the vulnerability have been released save for its existence, but it does have a name, a website and it’s very own monochrome logo with hints of Heartbleed.

In other words, it has no substance but it already has a brand.

You could argue that this is a good thing; names are more memorable than CVE numbers and get more cut-through. My Dad certainly wouldn’t have asked me to explain Heartbleed to him if it had been know as CVE-2014-0160.

And SerNet, employers of Stefan Metzmacher who discovered the flaw, clearly think so.

SerNet co-founder Johannes Loxen has taken to Twitter to defend his company’s actions, stating that “Warning ahead of time is appropriate. You’ll have to patch”, whilst being upfront about the advantages to his company, stating clearly that “marketing for us and our open source business is a side effect of course”.

So branding vulnerabilities is effective but where does it leave actual computer security?

Branding is a neat trick if it gets more people patching than otherwise would, but there are commercial gains to be had too, which creates an incentive to brand everything and talk up the severity of anything you’ve discovered.

The Badlock pre-announcement has given sysadmins three weeks to prepare for an emergency patch on 12 April. That’s surely better than having no notice, but with no further information out there how much preparation can they actually do?

And since the announcement was made by klaxon rather than in discrete whispers it’s got everyone’s attention, the crooks included, and fired the starting gun on a race to find the vulnerability.

For crooks there’s a weapon to be discovered, and for curious security researchers there’s an interesting puzzle to be solved and a whopping PR scoop to be won if they can figure out what Badlock’s all about.

An open source project that’s as dull as it is important, that only attracts the attention of about 40 regular contributors, will now be crawling with eyeballs for three weeks.

To me this looks more like a product launch than responsible disclosure and I wonder where it’s taking us. What will the next bug bring – a moody 2 minute trailer on YouTube? A superbowl spot?

At Naked Security we like to cut through the logos and the PR-hoopla. Amongst our pages you’ll find digestible explanations under the moniker of ‘what you need to know’ covering DROWN, GHOST, Stagefright, Superfish, Sandworm, FREAK, VENOM and a host of other vulnerabilities that sound like characters from a GI Joe movie.

So here goes, for now, no matter what the Twitter conspiracy vortex says, these are the facts:

On 12 April 2016 a crucial security bug in Windows and Samba will be disclosed.

And that’s it.

Image of badlock licensed as CC0.