There is something unnerving—and even a tad repugnant—about announcing that there's a massive security hole and that it won't be patched for weeks. Welcome to Badlock. What possible legitimate security goal is advanced by this publicity stunt?
The bug, which marketers for Samba dubbed Badlock, is extremely serious and potentially disruptive, which is what makes the preannouncement heads up all the more offensive. By the way, they created their own website for this security hole. I would normally make a sarcastic quip that they borrowed this marketing page from Heartbleed, but none is needed. The Badlock people—I swear—literally did go to the Heartbleed team. A note near the bottom of their Web site says "We are grateful to the Heartbleed team to use their template." (Broken English aside, don't be stunned if that acknowledgment magically disappears from that page soon.)
Before we jump into the particulars of Badlock—beyond saying that, if its claims are true, it could prove quite nasty—let's look at the timeline and some revisionist history. The Badlock site said on Tuesday (April 12) that "on April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available. Please update your systems. We are pretty sure that there will be exploits soon."
If only that had been the case. Instead, that bug was disclosed by Samba and others weeks before and it was the patch that wasn't available until April 12. Had the vendors kept silent until Microsoft and others could properly publish patches, this wouldn't be an issue.
Now let's drill into how bad this is. This is how Samba describes it: "Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks (crashes and high cpu consumption) in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an insecure one."
In other words, any user with any access to the network can use this hole to upgrade their privileges as high as they want. Not good. Samba acknowledges this potential while playing down its probability. "While we think it is unlikely, there's a nonzero chance for a remote code execution attack against the client components, which are used by smbd, winbindd and tools like net, rpcclient and others. This may gain root access to the attacker. The above applies all possible server roles Samba can operate in," Samba said. "The downgrade of a secure connection to an insecure one may allow an attacker to take control of Active Directory object handles created on a connection created from an Administrator account and re-use them on the now non-privileged connection, compromising the security of the Samba AD-DC."
Just in case that was insufficiently unsettling, Samba volunteered that this might be even worse: "Note that versions before 3.6.0 had completely different marshalling functions for the generic DCE-RPC layer. It's quite possible that that code has similar problems."
Although I am generally in favor of information being released as soon as possible, the clear exception are security holes that have yet to be patched. Indeed, there's an argument to be made that security hole details in the immediate aftermath of a patch's release are also dangerous as it will take time before most companies install the patches. Until then, they are doubly at risk and thieves will quickly try and leverage the hole, knowing that most users will have not yet patched.
But why announce a whole week prior to the patch being available? It has been argued that this pre-announcement amounts to little more than a marketing ploy to get attention. Defenders argue that the seriousness of the hole demands a preannouncement, so that everyone would be ready to deploy the patch first thing on April 12. In this instance, those defenders are wrong.
There are shops that place a high priority on patching quickly and those that simply don’t. And the don'ts overwhelmingly outnumber the dos. For shops that have a practice of patching quickly, an announcement simultaneous with the patch would have delivered those quick patches. For shops that are patch sluggish, well, they would still delay.
A marketing ploy, by the way, is different than simply marketing. A marketing ploy is something solely designed to advance the brand, whereas marketing can advance the brand while also helping customers and prospects. This, dear readers, was a ploy. That is dangerous because it increases the number of delayed-patchers. It makes it more likely that these announcements will be ignored or dismissed as mostly hype in the future.
Security is a serious issue and it's time that we demand that security vendors treat it as such.