By now, you know the drill. It has a catchy name, a flashy logo, and its own website. It’s now commonplace to see security vulnerabilities to launch with a fanfare, ever since the Heartbleed bug in 2013 came with its own publicity campaign.
But the latest flaw has drawn ire from the security community, amid accusations that the latest bug could allow some to exploit the flaw ahead of its scheduled patching in three weeks time.
Little was known when the flaw, dubbed Badlock, was first announced earlier this week. A shell website appeared out of nowhere, with little information. “A crucial security bug in Windows and Samba will be disclosed,” it said, and it will be patched on April 12 — which falls in line with Microsoft’s regularly scheduled day of releasing security updates, its so-called Patch Tuesday.
The flaw affects unspecified versions of Windows and Samba 4.2 and later, an open-source software that connects Linux and Unix servers and Windows PCs over a network. Deleted tweets picked up by CSO suggest that Badlock may allow “admin accounts for everyone on the [network].”
Besides that, little is known about the flaw.
The Badlock website, powered by German firm SerNet, had almost no information until later this week, when it was updated in the wake of widespread criticism from the security community, particularly on Twitter.
Stefan Metzmacher, an SerNet employee, found the flaw. He did not respond to a request for comment or for more details when we reached out earlier this week. Metzmacher’s name appears in hundreds of Samba source code files, dating back as far as 2002, according to one analysis.
SerNet, a Goettingen, Germany-based company arguably knows Samba better than anyone, a marketing point that Metzmacher is likely aware of.
A subsequently deleted tweet by Johannes Loxen, who registered the Badlock.org domain earlier this month, noted that a “serious bug gets attention and marketing for us and our open source business is a side effect of course.”
Despite Metzmacher’s public silence on the matter, Badlock’s website said the effort was for “awareness,” and dismissed criticism of its use of branded bugs.
“It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it,” said the post. “This process didn’t start with the branding – it started a while ago with everyone working on fixes.”
As the site says, there is a fine line — in this case between responsible disclosure, and irresponsible disclosure. Private disclosure (or “responsible disclosure”) allows security researchers to inform the developers of vulnerable hardware or software time to fix before the “campaign” to update begins. It can take months — even years — of behind-the-scenes work to fix a flaw. But it’s done in secrecy in order to prevent widescale exploitation of the discovered vulnerabilities.
Three weeks is a long time to give hackers a heads-up to exploit a flaw. Yes, we’ve seen Heartbleed, then Stagefright, Venom, Drown, and now Badlock. But Heartbleed was patched the very same day it was announced.
Even Microsoft hasn’t publicly acknowledged the flaw, yet, thought to be in part because the software giant now privately alerts IT administrators only a week before its regularly-scheduled Patch Tuesday.
When asked, a Microsoft spokesperson did not refer to or reference the flaw, but sent the following statement which didn’t address the questions:
“Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule,” said the spokesperson.
If it was publicity that Metzmacher wanted, now he has it. But it might not be exactly what he bargained for.