14 DAY TRIAL // Often times security firms create marketing campaigns for security bugs, capitalizing on their findings to boost business. Usually, these campaigns occur after the bugfix, not before, like it's the case of the recent Badlock vulnerability.
According to the official Badlock website, the issue affects the SMB/CIFS file and printer sharing protocol, used by Windows and the Samba open-source interoperability software suite, which allows *NIX servers to access these resources on Windows-based networks.
Badlock flaw to be fixed in Microsoft's next Patch Tuesday
Stefan Metzmacher, an employee of security firm SerNet, is the one that discovered the flaw, and he says it will be patched on April 12, 2016, the same date as Microsoft's next Patch Tuesday, which means this is a security bug that's affecting Windows internals, not just Samba interoperability.
The issue that most security experts have a problem with is that it appears that Metzmacher might have left clues about where and how to exploit Badlock before its official patching.
Since the vulnerability's name contains the "lock" term, many have searched for files that contain the word "lock," and some of them have found interesting results.
Risk Based Security noted that Metzmacher is also a contributor to the open-source Samba project and that he authored code in 40 files out of the 463 that contain the word "lock."
The researcher that found Badlock is under fire from fellow researchers
They and many others have naturally asked themselves if Metzmacher is doing nothing more than to correct his own code, while also getting some notoriety in the industry while at it.
SerNet has even admitted on their website that this is the sole work of Metzmacher. "Badlock has been discovered, analyzed and fixed by Stefan Metzmacher, a renowned member of the international Samba core developer team," the company noted.
With clues leaked here and there, many infosec experts fear that attackers might narrow down the source of the vulnerability and use it in attacks before April 12. As it looks right now, Metzmacher might have got the notoriety he desired, but it's not the kind of fame he might have wished for.
Ethics often come under fire in the infosec community, and researchers aren't shy about calling each other out when they feel the irresponsible gestures of one puts the users' security at risk. Below are some of the tweets that try to get at the bottom of the Badlock mystery (slideshow, click for more).
