That ‘Badlock’ Bug Is More Hype Than Hurt
Like a trailer for a blockbuster film, a PR campaign advertising the mysterious “Badlock” bug three weeks ago had computer security experts alternately mocking the company behind the campaign, as well as marking the date on their calendars for when the bug’s patches would be released. But today, after details about the security hole were finally released, critics are calling the celebrity bug “Sadlock” instead.
The German company SerNet, which discovered the Badlock bug, aggressively publicized their impending announcement a month early with a web site, a brand name, a logo, and a marketing campaign. Despite all the hype, Badlock’s vulnerabilities only turned out be medium-level security flaws.
SerNet discovered a series of vulnerabilities that could allow attackers to launch denial-of-service attacks or a man-in-the-middle attack to hijack a user’s connection to a server under certain conditions. While the flaws need to be patched, critics took to Twitter today to deride the marketing around them.
— Andy (@ZephrFish) April 12, 2016
1st Law of Vuln Hype: the time between branded announcement and disclosure is inversely proportional to actual impact of the bug. #badlock
— Jan Schaumann (@jschauma) April 12, 2016
— Brendan Hohenadel (@bhohenadel) April 12, 2016
Karl Sigler at Trustwave’s Spider Labs described the man-in-the-middle flaw as one that would allow an attacker to hijack the connection and gain escalated privileges “that could allow an attacker to [have] full access to administrative tasks and the user database (SAM) on the remote server.”
Although Sigler acknowledged that the flaw is a concern and needs to be patched, “I can’t say that this vulnerability rises to any level that deserves the focus that a dedicated website and three weeks of buildup have given Badlock,” he wrote on Trustwave’s web site today.
“While I do recommend you roll out the patches as soon as possible … I don’t think Badlock is the ‘Bug To End All Bugs,’ Tod Beardsley, security researcher manager for Rapid7 said in a statement. “In reality, an attacker has to already be in a position to do harm in order to use this, and if they are, there are probably other, worse (or better depending on your point of view) attacks they may leverage.”
Critics had targeted SerNet last month, accusing it of hyping Badlock to promote its business and putting users at risk in the process, since the PR campaign effectively gave hackers three weeks to determine what the flaws might be and develop exploits to attack them before Microsoft or the Samba developer team could release patches today.
SerNet said it wanted to give system administrators an early warning that patches were on their way so they could set aside time to update their systems when they came out.
“Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date,” SerNet warned in its early announcement. “Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.” All the company would reveal at the time was that the bug or bugs affected unspecified versions of the Windows operating system and Samba, free open-source software that integrates Linux or Unix servers and Windows computers across a network.
The Badlock name launched a guessing campaign in the security community about what the flaw might be. Many assumed the name was a hint about the bug’s nature. “We know it is almost assuredly [a remote-code execution flaw], and likely has to do with the implementation of the SMB/CIFS protocol,” Brian Martin, director of vulnerability intelligence at Risk Based Security, wrote in a blog post at the time.
But the Badlock name turned out to have no connection to the vulnerabilities. The name, SerNet said today in a blog post, “was meant to be a rather generic name and does not point to any specifics.”
The company defended the hype it launched around Badlock, writing, “What branded bugs are able to achieve is best said with one word: Awareness…. It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding—it started a while ago with everyone working on fixes. The main goal of this announcement was to give a heads up. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.”