It was the second Tuesday of the month yesterday, and you know what that means… Patch Tuesday!
Microsoft has issued a bundle of security bulletins, detailing fixes for 31 vulnerabilities, including critical remote code execution flaws in Internet Explorer and Microsoft Edge.
And this Patch Tuesday update includes a fix for the Badlock bug – a vulnerability that was pre-announced three weeks ago, with a cutesy name, its own website and (of course) logo.
Initially the Badlock website arguably scared the willies out of sysadmins, just saying there was a “crucial security bug in Windows and Samba” and that affected systems should be updated when the fix was released on April 12.
After online criticism, the site defended its pre-announcement and its “marketing” of the vulnerability:
Why announce Badlock before April 12th, 2016?
The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.
Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.
Yet Another Bug With A Logo?
What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.
It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding – it started a while ago with everyone working on fixes.
Despite the hoopla, however, it doesn’t appear that Badlock is the most serious of the flaws to be fixed by Microsoft this month. In fact, some have dubbed the man-in-the-middle attack “Sadlock” because it fails to live up to its hype.
1st Law of Vuln Hype: the time between branded announcement and disclosure is inversely proportional to actual impact of the bug. #badlock
— Jan Schaumann (@jschauma) April 12, 2016
Irregular reminder: cybercriminals are most interested in things that scale and can be done remotely. MitM often fails both conditions.
— Martijn Grooten (@martijn_grooten) April 12, 2016
Yes, you should patch affected systems against Badlock, but many will find other vulnerabilities inside Microsoft’s Patch Tuesday bundle that are a higher priority.
A bigger risk than Badlock for most computer users are the flaws that allow malicious attackers to remotely execute malicious code on your computer through boobytrapped webpages and Word documents.
For more details, read Microsoft’s advisory and make sure that your computer is running the latest security patches.
1. I haven't accepted any Windows Updates for over a year.
2. I don't use Microsoft Office; I use LibreOffice.
3. I have not encountered any problems / "security issues" and I am no longer inconvenienced.
Fact of computer security: many hosts that are compromised are oblivious to the fact.
Want a funny example? I had a friend years ago (and I remember when he did this) who made the file server of a specific (which I will not name) security company open to everyone. It was unknown for >= 10 years.
And Microsoft Office versus Libre is only going to matter for vulnerabilities specifically targeting Microsoft Office documents.
Eventually your poor practises will bite you but the wound might not even be known to you. I have many examples including government hosts trying to use my primary mail server to relay spam. I know many other admins also have plenty of examples. But I suppose this is all beyond your comprehension – for better or for worse.
Give us your IP and we'll show you how you can be inconvenienced!
Martijn certainly has a point but it's still (and I know he knows this) worth remembering that MiTM attacks are quite serious.
But rather than call this sadlock why not call it gladlock since it's not as serious as was suggested ?