There's a new vulnerability set for disclosure in April called Badlock. Not much is known about the vulnerability itself, but deleted tweets have offered a key clue as to its impact.
Complete with a logo and domain, Badlock looks to be yet another example of a hyped-up and marketed vulnerability. As it exists today, the Badlock.org website offers a basic warning to Windows administrators and business leaders.
"On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th," the website says.
"Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information."
The vulnerability itself was discovered by Stefan Metzmacher, who helped develop Samba. The company Stefan works for, SerNet, has five other employees who help work on the Samba project. In addition to other services, SerNet does training, coding, support and consulting for Samba.
Moreover, SerNet even admits to being pleased by the marketing potential the disclosure has. Calling it a win-win situation, Johannes Loxen, (who registered the Badlock.org domain) said the disclosure gives attention to a "serious bug" and as a side effect, SerNet gets marketing.
As word of the vulnerability spread, researchers following the issue noticed that Metzmacher's name appears in 463 files, and that SerNet calls him a renowned member of the Samba core developer team.
But it isn't clear if he developed the vulnerable code himself, which is why the Samba team needs to discover who wrote the flawed code.
Again, SerNet has six employees working on the Samba project, which means there could be problems if they’re benefiting from flawed code one of their own staff produced.
PR-driven vulnerability disclosure isn't something new. There have been several since Heartbleed.
They can be useful at times. In fact, naming dangerous things with terms that are easy to remember isn't new. On Twitter Tuesday evening, Jeremiah Grossman pointed out parallels between naming vulnerabilities and the naming conventions used by the National Hurricane Center.
According to the NHC, naming storms prevents confusion when two or more of them occur at the same time, and the use of short, distinctive names is quicker when it comes to communicating issues in verbal or written form.
To add some context to the NHC example, giving the name Heartbleed to CVE-2014-0160 makes sense.
Heartbleed was a serious vulnerability that impacted a large chunk of the Internet and the devices on it. And the marketing, promotion surrounding it generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems.
But the downside to Heartbleed is that it's now used as a sales and marketing tool. It's the boogeyman of vulnerabilities, because everyone knows the name. There's a certain power attached to the name Heartbleed that invokes a level of urgency that doesn't necessarily apply to all situations, no matter what the sales person's slide deck says.
In the case of Badlock, the public has 20 days to consider the vulnerability, which means criminals have plenty of time to tear Samba to bits and look for the flaws.
Given what's known about it, some have suggested that anyone looking for Badlock start with the SMB/CIFS protocol.
Loxen himself has said that Badlock will mean "admin accounts for everyone on the same LAN."
In a blog post, Brian Martin, Director of Vulnerability Intelligence for Risk Based Security, commented on the debate surrounding the early hype, and the teaser website.
"There is heavy debate as to if this is a good or bad thing for defenders. Just knowing the vulnerability affects Windows and Samba starts to narrow down where the issue is. We know it is almost assuredly remote, and likely has to do with the implementation of the SMB/CIFS protocol. With thousands of talented exploit developers out there, the odds of someone finding the same issue, or one equally serious, is considerable."
Opinion:
I think that Badlock is likely one of the worst examples of marketing and hype for a vulnerability that we've seen to date.
Even Heartbleed didn't have a teaser notification three weeks out. To make matters worse, the company that owns the domain promoting the vulnerability is glad for the marketing opportunity it's providing.
Granted, there are valid reasons for naming vulnerabilities, as it brings attention to an issue that can be shared with a wider audience – at least it's better than using CVE or MS patch IDs.
Likewise, giving administrators a heads-up on something is okay too, but three weeks?
If there is a need to bring attention to Badlock, what's the point of a teaser? Why couldn't the branding and website promotion wait until the patch was released?
Again it's sales.
On Twitter, Loxen said in part, "...don't blame us for this advertising :-)" – but they have six employees actively working on the Samba project – if they're profiting from flaws they introduced into the product, there is plenty of blame to be had.
There are some administrators who will be glad for the advanced warning, and if PR helps stop attackers from hammering a seriously critical vulnerability, then great.
But is Badlock such a vulnerability?
Loxen said that everyone on the LAN could get admin if the flaw is exploited. LAN-based issues reduce the risk considerably, but they're a nightmare for flat networks.
What do we do if someone discovers this flaw on their own before April 12? Because odds are, that's going to happen.
Now, maybe I'm wrong in my opinions. If I am, I will freely admit to it.
But I really don't like seeing vulnerabilities marketed and hyped. This situation is compounded by the fact that the company responsible for the disclosure not only admits to being glad for the marketing it's provided, they have an entire business based on the product in question, and staffers who helped develop it.