Since the Heartbleed hack was publicised in 2014 with their media-friendly name, logo, and website, brand-name software bugs with flamboyant public relations campaigns started to be a common occurrence.
Another computer bug is gaining momentum these days, setting the bar high for coming brand-name bug disclosures. Badlock has been receiving a lot of publicity even if the exact nature of the bug and the patches that could remove it weren’t disclosed outright.
This bug attacks some versions of Windows OS and Samba – the free, open-source program that incorporates Linux or Unix and Windows computers across a network. A marketing campaign about the security flaw came with a website and logo that SerNet – the German company who discovered the bug – said was meant to inform system administrators that patches were coming so they can prepare to update their systems.
SerNet stated, “Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.”
Badlock has been receiving a lot of publicity even if the exact nature of the bug weren’t disclosed outright.
This campaign has caused the information security community to criticise SerNet for hyping the issue for their profit and for putting the public at risk. Their campaign essentially gave hackers three weeks to determine the flaw and develop their ways to exploit before patches could be released by Microsoft and Samba.
Dan Kaminsky, White Ops’ chief scientist and a noted researcher, said the bug disclosure process was not doing anyone any favors. “What’s the call to action (for system administrators) other than pay attention? Even when we complain about (other) bugs with logos and with media attention, yeah there’s annoyance, but the core reality is there’s a problem, here’s a fix, people should act. What are people supposed to do (in this case) other than applaud or guess the flaw?”
Risk Based Security’s director of vulnerability intelligence Brian Martin said this was pure, unadultered marketing on SerNet’s part, he adds, “people will start contacting them (seeking information and protection), and it opens up sales channels left and right.”
Not everyone opposes the three-week warning, though. Chris Wysopal, Veracode’s co-founder and CTO, said, “I think it makes sense to give notice for a flaw this widespread, if it turns out to be critical… widespread, easy to exploit, and high impact.”
Researchers who discover a system vulnerability usually disclose the information to the public before a fix or patch is available; security companies also usually offer detection and protection services to market their products and services before a fix is released to assist customers until the security breach is fixed.
Martin and Kaminsky, on the other hand, believe this is a different situation as SerNet has hinted at ways that could help hackers find out a way to fix the security hole. Martin also noted that there are questions about a SerNet employee who discovered the loophole and how he might have had a role in it.
Stefan Metzmacher, who has been writing Samba code since the early 2000s and is currently a SerNet employee who specialises in Samba training and consultation, discovered the Badlock bug. He is part of more than 450 Samba sourced code files created over a span of 12 years, while a number of other SerNet employees were also Samba developers in the past. This is SerNet’s edge – its employees were former developers at Samba and other similar companies.
The situation might seem dubious as there is a possibility the Badlock bug Metzmacher discovered is in a part of the Samba code he or another SerNet employee actually wrote – he and SerNet could be criticised more for marketing the bug discovery that they might be part of in creating.
In a blog post, Martin said, “it is certainly eye-opening when someone develops a piece of software for over a decade, then finds a critical vulnerability in it a couple years after… and will most likely capitalise on it directly.”
Others in the industry have expressed the same sentiments – some restate the fact the Metzmacher discovered the Badlock bug while having worked there previously; while some joke about how the situation turned out to be profitable for Metzmacher and company. SerNet CEO Johannes Loxen, in a tweet to a certain @SteveD3, said “a serious bug gets attention and marketing for us and our open source business is a side effect of course. #whynot #winwin #Badlock”
SerNet’s Badlock website calls the flaw a “crucial security bug” for Windows and Samba. Loxen tweeted that Badlock could give a hacker administrative-level privileges in a local network or system. Wysopal added that with only this knowledge in hand, Badlock could be just another worm which spreads using flaws in Windows file-sharing and infect up to 9 million computers – to nothing serious at all. “We have seen other named vulnerabilities that were hyped that turned out to be hard to exploit and not widespread in reality so we will have to wait and see,” he added.
Martin added that knowing Badlock affects both Windows and Samba could narrow down the possibilities of the extent of bug – making it easier for hackers to know how to fix it. Experts posit that the flaw might be in the Server Message Block (SMB) protocol; the function that lets computers read and writes files in a local network system. Windows utilises the Common Internet File System (CIFS), a specific implementation of the SMB protocol for the operating system.
“We know it is almost assuredly (a remote-code execution flaw), and likely has to do with the implementation of the SMB/CIFS protocol,” Martin wrote.
Martin also thinks the Badlock name might provide clues on the nature of the bug – “the name Badlock is likely based on a file or resource locking mechanism within the SMB implementation, and the code that controls it.”
Kaminsky worries that if this is the case, hackers would easily find the flaw and exploit it. “At minimum they shouldn’t have named the flaw. Now you’ve got a lot of people looking at the locking subsystem in SMB and maybe people find this particular Badlock flaw, maybe they find others. There’s a 12-day period in which everyone is on notice: large bug here; no patch.”
Kaminsky has extensive experience in computer bug controversies. In 2008, he was part of the discovery of a serious DNS flaw and also assisted in the coordination of a widespread multi-vendor patch operation that infected almost all websites – it was even called “the worst internet security hole since 1997.” At the time, Kaminsky publicly revealed the existence of the bug in a press conference, but did not disclose details about it so DNS server owners could patch their systems. He was planning on revealing the details of the bug in a security conference that year, but a security firm released details online by mistake; allowing a hacker to create an exploit. Kaminsky added that circumstances differ between his bug and that of Badlock’s since a majority of the systems were already patched in his case.
Kaminsky said, “I don’t’ pretend that I did it right. But the thing I didn’t do wrong was have all sorts of hackers out after my bug.”
Kaminsky adds that one of the biggest concerns with Badlock is other variants of the bug might be discovered before fixes can be published. “Every bug has a hundred variants… that would show up across other platforms,” Kaminsky said. If the flaw is found in the SMB protocol, it could affect other programs that are associated with SMB – these include Mac OS X, FreeBSD, and Solaris.
He also said that Microsoft and Samba might encounter problems that prevent them from releasing their fixes on the designated day. “As they’re doing the final testing on this patch, they might discover something wrong and they no flexibility to move the (patch release) day. Any patch that comes out must come out on this particular day, because it’s a situation that’s now on fire. How is this protecting users; how does this have anything to do with users?”
SerNet’s critics say it is definitely easy for them to use, but more critically, for hackers and cybercriminals.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.