Just over a month ago, an unusual security announcement went out. Not the disclosure of a vulnerability itself, but rather that a vulnerability was going to be disclosed in the near future.
Details were few — we were told this vulnerability affected Windows and Samba — and the full breadth of the issue would be shared with the world on April 12 2016. To top it all off, the person who discovered the issue, Stefan Metzmacher, had already given the vulnerability its own website and an evocative name: Badlock.
In the meantime, we were all left to wait, wonder, and hope it wouldn’t be too bad. And when April 12 finally arrived, many in the security industry felt that Badlock was a lot of hot air.
You can see a lot of the frustrations around Badlock’s hype expressed perfectly on sadlock.org, no doubt created by an exasperated sysadmin. (There’s a lesson to be learned here for future vulnerability marketing teams – buy similar-sounding domain names, perhaps?)
Does it actually help to name vulnerabilities?
Generally, vulnerabilities are only known by their CVE – a useful but somewhat unwieldy classification. It’s quite uncommon for vulnerabilities to be named and “branded” as Badlock was, but it comes in a line of named vulnerabilities that have made headlines in the past few years.
You might remember a named vulnerability that grabbed the public’s attention in April 2014: Heartbleed, which was a bug in OpenSSL’s cryptography library.
While it wasn’t the first named vulnerability, it was definitely the first to have marketing attached to it. It had an easily-read name (much easier than its official designation as CVE-2014-0160), a website with simple language explaining the problem, and a slick bleeding-heart logo.
The vulnerability itself was also quite serious and a bit unusual. It affected a huge number of websites that many of us use daily, and the general public needed to change their passwords on these websites after the vulnerability was addressed.
If the goal of giving Heartbleed a cool name and logo was to grab a lot of attention by giving the scary issue a shiny veneer, and to reach far beyond those who normally pay attention to such things, it definitely worked.
Heartbleed made headline news across mainstream news and websites that normally wouldn’t ever talk about any kind of security issue. The Heartbleed marketing slick may very well have spurred people to action. (After all, OpenSSL and TLS aren’t exactly easy to explain to the general public.)
But the logo and the website for the Heartbleed vulnerability were also met with healthy skepticism. Was all this logo nonsense really necessary? Were all major vulnerabilities going to need this kind of treatment to get people’s attention?
Google bug hunters found Heartbleed and quietly fed patches for it into the community; the logo and the website came from a Finnish security company who discovered the same bug independently but slightly later. Was the logo more to do with grabbing credit while there was still a chance than it was to do with mobilising the public?
After all, mitigating a vulnerability’s impact generally requires someone like a system administrator to take action. There’s often not much the general public can do when a new vulnerability appears, except perhaps avoiding using certain services until their systems are patched.
Does having a shiny logo for every major vulnerability aid the public in understanding key security concepts, or does it just start unnecessary panic?
We’re hitting peak glamour vulnerability fatigue
Rather predictably, many people are already inured to Named Vulnerability of the Week.
Unless keeping track of these kinds of issues is your bread and butter, it’s not difficult to completely tune out repeated claims such as, “Hey, this is a big one – no really! We named it and everything!”
After all, since Heartbleed, we’ve seen a number of vulnerabilities given a glamorous treatment and a bit of marketing sheen: POODLE, DROWN, Shellshock, GHOST, and yesterday’s ImageTragick. But do you remember hearing much about any of these in the mainstream press? Probably not.
So who exactly are these “glamour” vulnerabilities trying to reach? The sysadmins who already have a huge laundry list of vulnerabilities to stay apprised of to try and patch? The language ever since Heartbleed came and went was that nobody wanted to miss the next Heartbleed.
It’s understandable that some people are cynical about all of this. There’s a rather frustrated Twitter account that recounts how many days it’s been since the last named vulnerability, @infosechype, whose tagline actually is “We make sure you don’t accidentally miss THE NEXT HEARTBLEED ™”
Given the letdown and subsequent backlash against the hype around Badlock, we may very well see some gun-shy vulnerability disclosures staying CVE-only for some time.
Or, perhaps if the cynics are right, it’s an arms race to the bottom.
What do you think?