Security researchers promote Badlock SMB bug ahead of patches

Tomorrow marks the much talked-about release of the patch for the Samba bug branded Badlock. While we don’t know a whole lot about the vulnerability, its discoverers assure us the patch is worth staying up for. From what we do know, Badlock is a "crucial security bug" in Windows' Server Message Block (or SMB) protocol, as well as the open-source Samba implementation of that protocol.

A critical bug in SMB or Samba is a big deal, since those protocols are themselves a big deal. SMB underpins Microsoft's Active Directory and other widely used network services, while Samba is a widely used piece of open source software that simplifies the use of Active Directory credentials across mixed Windows and Linux domains. Samba is particularly widely used for file shares and print servers.

Like it or not, branding is a big deal in the data security business these days. The last few years saw the rise of vulnerabilities with names that seem a better fit for supervillains—Heartbleed and Shellshock being the biggest. Now Badlock joins the Legion of Security Doom, with its dramatic broken-lock branding and its own website.

The creators of these marketing campaigns claim they want to use them to spread the news about serious bugs. However, these branded flaws are being released by security firms that want visibility themselves, which may lead to a tendency to exaggerate the threat in order to get name recognition. Another potential downside of bug-branding is that serious bugs discovered by groups that aren't interested in promoting their finds could be lost in the noise. We'll see just how big a deal Badlock is when more details of it become available tomorrow.

Comments closed
    • Wirko
    • 4 years ago

    So, did the open source folks openly steal the source from Microsoft, along with the potholes?

      • chuckula
      • 4 years ago

      They didn’t steal any source code.

      But in order to actually work with Microsoft’s implementation of SMB they have had to reverse-engineer some of Microsoft’s bugs and reimplement the bugs for compatibility.

    • DragonDaddyBear
    • 4 years ago

    Branding good for awareness but it hurts in the long run. Since heart bleed was publicized by the media it’s become the go-to comparison for vulnerabilities. This issue is there are hundreds of metaspoitable, exploit DB, poor configurations, and exploit kit vulnerabilities available. Any one of them could be the attack vector that is used to attack an organization and effectively shut it down.

    But, hey, at least we’re not vulnerable to heart bleed, right?

      • Deanjo
      • 4 years ago

      [quote<]But, hey, at least we're not vulnerable to heart bleed, right?[/quote<] Unless you are running one of the millions of Android devices that never received a patch.

        • Waco
        • 4 years ago

        We had tens of thousands of heartbleed attacks within a few minutes of the exploit being published.

        Of course, it took about zero time to fix (to block external attacks), but man, it immediately became the attack of choice.

        • chuckula
        • 4 years ago

        Actually, Android’s exposure to Heartbleed was low since OpenSSL is not a built-in part of Android. It might be possible as part of a third-party app, but it’s not wide open by default.

          • Deanjo
          • 4 years ago

          [url<]http://www.theverge.com/2014/5/29/5762496/new-heartbleed-attack-targets-android-devices-and-routers-over-wi-fi[/url<] [url<]http://www.bloomberg.com/news/2014-04-29/what-a-heartbleed-attack-on-an-android-phone-looks-like.html[/url<]

    • nanoflower
    • 4 years ago

    I wonder how much the branding helps the security research firms. After all once the initial announcement is made it’s picked up by many different papers and web sites and the information about the original discovery of the bug tends to get lost along the way. Especially as people focus on whether there’s a patch under way and when it might arrive and just how dangerous is the bug if you don’t have a patched system.

      • derFunkenstein
      • 4 years ago

      Oh, I’m sure that if you give a security hole a catchy name, it helps promote your organization. “Yeah, we discovered Heartbleed,” stands out way more than “We found a critical bug in OpenSSL implementations that had been open and un-exploited for years.”

Pin It on Pinterest

Share This