14 DAY TRIAL // Microsoft released yesterday its monthly security updates for Windows and the rest of its products, and among the issues it fixed was an over-hyped security bug in Windows and Samba servers (MS16-047). Samba devs also patched the issue.
Details about this vulnerability were released last month, and the infosec community reacted negatively towards the researchers who discovered and reported the issue to Microsoft.
Their reaction was because the researchers put together a website to promote their vulnerability, along with a logo, and embarked on a media campaign to "advertise" the bug and their company's services.
Microsoft patches Badlock bug, doesn't view it as a critical issue
Many pointed out that the security researcher who found the bug was also one of the Samba contributors, hinting at the fact that this was not really a vulnerability, but actually a bugfix for his previously sloppy code.
With more details revealed on Badlock, such as the vulnerability's name, also identified by CVE-2016-2118, security researchers remained unimpressed, especially after Microsoft didn't tag this fix as "critical" as the researchers who found it hoped it would, but only as "important," a lower security bug severity rating.
It appears that the infosec community was right all along, and this was just another plain ol' overhyped bug. But don't get too complacent. The bug still needs fixing, mainly because it can be used in MitM (Man-in-the-Middle) attacks and also to relay DDoS attacks. Even CERT is warning so and urging sysadmins to patch.
Red Hat sees the issue as critical, though
While Microsoft said that Badlock's impact on Windows was not as severe, Red Hat, on the other hand, has different views on the issue.
"While this vulnerability specifically affects Microsoft Windows, Samba is included in nearly every distribution of Linux, including Red Hat Enterprise Linux," a Red Hat spokesperson told Softpedia via email. "Red Hat views Badlock's related security issues as 'critical' and has issued several advisories and patches - we recommend patching affected systems as soon as possible."
"Badlock is one more potentially dangerous exploit that was identified and addressed by the open source community before it caused significant damage to the broader connected world, showing the continued power of open innovation within IT and open source security," Josh Bressers, security strategist at Red Hat, told Softpedia.
"From a software provider perspective, it’s another example of why vulnerability identification is simply not enough. Vendors that truly want to be defined as leaders must actually help their customers identify problems, supply fixes and validate the solution to truly provide end-to-end security across the evolving IT ecosystem," Mr. Bressers also added.
Most infosec researchers are annoyed with the immense hype
On the other hand, other security researchers did not share Mr. Bresser’s concern. "Badlock is yet another 'superstar' vulnerability with its own logo, website, and subsequent hype," Andrew Storms, VP of Security Services at New Context, told Softpedia. "My biggest piece of advice in the face of Badlock is stay calm and don't chase the hype."
"For many people the Badlock hype was just that, a lot of hype. Security teams should patch immediately, but also put it in perspective with all of the patches that Microsoft released today. For example, patching a remote code execution bug in Internet Explorer may be more important to your organization than the over-hyped Badlock."
But Mr. Storms also sees a positive side to Badlock's overhype. "On one hand, prior notice of a vulnerability helps security operations team prepare. Too many operate interrupt-driven security, which is not the most effective approach, and notice of upcoming vulnerabilities helps to move companies from being reactive to being proactive."
Overhyping security bugs has also its positive side
"In an ideal world, security operations teams would be applying Lean Security principles that proactively allow for good asset management. Good asset management is the first step to strong risk management," Mr. Storms also noted. "If you've managed deployments through automation, for example, something like Badlock becomes just another patch that can be quickly and easily addressed."
"On another note, it's too bad that Microsoft disbanded the Microsoft Security Response Center (MSRC), because in this instance it would have allowed for better communications from Microsoft and in turn, a better understanding of how people are affected."
To prevent any exploitation, ISC's Johannes B. Ullrich has some advice: "You are of course the most at risk if you are allowing SMB traffic over un-trusted networks, which has always been a bad idea. Exploitation of a man-in-the-middle vulnerability does require that the attacker is able to intercept traffic. The use of a VPN would prevent exploitation."
Sanders should propose some sort of regulatory agency to control vulnerability hype. — Matthew Green (@matthew_d_green) April 13, 2016