Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism
Brand-name software bugs with flashy public relations campaigns are commonplace since the Heartbleed vulnerability was announced in 2014 with a media-friendly name, logo, and web site.
But another bug is on the horizon that is setting a new bar for brand-name bug disclosures. It’s called Badlock and it’s already receiving a lot of controversial attention, even though the exact nature of the bug—and most importantly, the patches to fix it—won’t be disclosed for another three weeks.
The bug affects unknown versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network. A pre-patch marketing campaign about the security hole includes a web site and logo that SerNet, the German company behind the bug discovery, says is meant to inform system administrators that patches are coming April 12 so they can prepare to update systems that day.
“Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date,” SerNet warned on its Badlock web site this week. “Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.”
But the campaign has caused many in the information security community to criticize the company for hyping the issue for profit—and, worse, for putting people at risk. The pre-patch campaign effectively gives hackers about three weeks to determine what the flaw might be and develop exploits to attack it before Microsoft and the Samba developer team can release patches.
Not How the System Should Work
“The bug disclosure process here is not doing anyone any favors,” says Dan Kaminsky, noted security researcher and chief scientist at White Ops. “What’s the call to action [for system administrators] other than pay attention? Even when we complain about [other] bugs with logos and with media attention, yeah there’s annoyance, but the core reality is there’s a problem, here’s a fix, people should act. … What are people supposed to do [in this case] other than applaud… or guess the flaw?”
Brian Martin, director of vulnerability intelligence at Risk Based Security, called it “pure, unadulterated marketing” on the part of SerNet. “People will start contacting them [seeking information and protection], and it opens up sales channels left and right.”
But not everyone opposes the three-week warning.
“I think it makes sense to give … notice for a flaw this widespread, if it turns out to be critical… [i]n other words, widespread, easy to exploit, and high impact,” says Chris Wysopal, cofounder and CTO of Veracode.
It’s not unusual for researchers who discover a vulnerability to publicly disclose it before a patch is available; it’s also not unusual for security companies that offer detection and protection services to market their products and services before a patch is released to help protect customers until a security hole gets sealed.
But Kaminsky and Martin say this one is different because SerNet has released hints that could help hackers figure out the security hole quickly. There are also, Martin notes, questions about whether the SerNet worker who discovered the hole had a role in creating it.
All We Know About Badlock: It’s Good For Business
The bug was discovered by Samba developer Stefan Metzmacher, who has been writing code for Samba since at least 2002 and now works for SerNet, which specializes in Samba training and consultation.
Metzmacher’s name appears in 463 Samba source code files, created between 2002 and 2014, and several other people at SerNet were also developers of the Samba software. This is part of the company’s selling point for its services—it can claim that few people and companies know Samba as well as Metzmacher and its other employees do.
But if it turns out that the Badlock flaw Metzmacher found is in a part of the Samba code he or other SerNet workers actually wrote, he and SerNet could face even more criticism for marketing the discovery of a bug they helped create through flawed programming.
“It is certainly eye opening when someone develops a piece of software for over a decade, then finds a critical vulnerability in it a couple years after … and will most likely capitalize on it directly,” Martin wrote in his blog post.
Others have expressed a similar sentiment.
1. Introduce bug
2. Discover your own vulnerability
— Gabor (@gszathmari) March 22, 2016
SerNet CEO Johannes Loxen has acknowledged the bug’s marketing value for his company on Twitter.
— Johannes Loxen (@jloxen) March 23, 2016
A Challenge to Hackers
Little is known about the Badlock flaw other than it’s a “crucial security bug” in Windows and Samba, according to SerNet’s Badlock web site, and Loxen has hinted on Twitter that it can give an attacker administrative-level privileges on a local network. Wysopal explains that, with only that knowledge to go on, this could be anything from another Conficker worm, “which spread using flaws in Windows file-sharing” and hit more than 9 million machines, to nothing very serious at all. “We have seen other named vulnerabilities that were hyped that turned out to be hard to exploit and not widespread in reality so we will have to wait and see,” he said.
But simply knowing it affects Windows and Samba narrows the possibilities of what the bug might be, Martin says, making it easier for hackers to figure out. He and others suggest the flaw may be in what’s known as the SMB protocol, or Server Message Block protocol, which lets computers read and write files over a local network. Windows uses a specific implementation of the SMB protocol known as CIFS, or Common Internet File System.
“We know it is almost assuredly [a remote-code execution flaw], and likely has to do with the implementation of the SMB/CIFS protocol,” Martin wrote in a blog post on Wednesday.
The Badlock name also might provide hints about the nature of the bug.
“The name Badlock is likely based on a file or resource locking mechanism within the SMB implementation, and the code that controls it,” Martin wrote.
If this is the case, it won’t take long for hackers to find it, which worries Kaminsky.
“At minimum they shouldn’t have named the flaw,” he says. “Now you’ve got a lot of people looking at the locking subsystem in SMB and maybe people find this particular Badlock flaw, maybe they find others.” Whatever they find, he says, “there’s a 12-day period in which everyone is on notice: ‘Large bug here; no patch.’”
Kaminsky isn’t new to big-bug controversies. He discovered and helped coordinate a massive multi-vendor patch operation for a serious DNS flaw in 2008 that affected nearly every web site and was known as “the worst internet security hole since 1997.” But even though he publicly revealed the existence of the bug at a press conference, he withheld details about it to give DNS server owners time to patch their systems. He had planned to reveal details of the bug a month later during a presentation at the Black Hat security conference in Las Vegas. But two weeks after the press conference a security firm inadvertently released details online, which allowed someone to create an exploit before the day was out. Kaminsky says the circumstances around his bug were different than Badlock’s, however, since many systems were already patched in his case.
“I don’t pretend that I did it right,” he told WIRED. “But the thing I didn’t do wrong was have all sorts of hackers out after my bug.”
Kaminsky says one of the biggest concerns with Badlock is that other variants of the flaw might be found before patches can be released. “Every bug has a hundred variants … that would show up across other platforms,” Kaminsky says. Martin points out that if the flaw is in the SMB protocol and not just a specific implementation of it, it could affect other software that use or include support in them for SMB, such as versions of Mac OS X, FreeBSD and Solaris.
Kaminsky also worries that Microsoft and Samba may encounter problems that prevent them from releasing their patches on the designated day. “As they’re doing the final testing on this patch, they might discover something wrong and they have no flexibility to move the [patch release] day,” he says. “[A]ny patch that comes out must come out on this particular day, because it’s a situation that’s now on fire. How is this protecting users; how does this have anything to do with users?”
Critics of SerNet say it’s certainly user-friendly to them, and to one other element: hackers.