Microsoft issues security patches for 31 separate vulnerabilities

Critical bugs fixed, but Badlock fails to live up to the hype.

Patch tuesday
It was the second Tuesday of the month yesterday, and you know what that means... Patch Tuesday!

Microsoft has issued a bundle of security bulletins, detailing fixes for 31 vulnerabilities, including critical remote code execution flaws in Internet Explorer and Microsoft Edge.

BadlockAnd this Patch Tuesday update includes a fix for the Badlock bug - a vulnerability that was pre-announced three weeks ago, with a cutesy name, its own website and (of course) logo.

Initially the Badlock website arguably scared the willies out of sysadmins, just saying there was a "crucial security bug in Windows and Samba" and that affected systems should be updated when the fix was released on April 12.

After online criticism, the site defended its pre-announcement and its "marketing" of the vulnerability:

Why announce Badlock before April 12th, 2016?

The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.

Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.

Yet Another Bug With A Logo?

What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.

It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn't start with the branding - it started a while ago with everyone working on fixes.

Despite the hoopla, however, it doesn't appear that Badlock is the most serious of the flaws to be fixed by Microsoft this month. In fact, some have dubbed the man-in-the-middle attack "Sadlock" because it fails to live up to its hype.

Yes, you should patch affected systems against Badlock, but many will find other vulnerabilities inside Microsoft's Patch Tuesday bundle that are a higher priority.

A bigger risk than Badlock for most computer users are the flaws that allow malicious attackers to remotely execute malicious code on your computer through boobytrapped webpages and Word documents.

Microsoft flaw

For more details, read Microsoft's advisory and make sure that your computer is running the latest security patches.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

4 Responses

  1. mickthebrick

    April 13, 2016 at 6:22 pm #

    1. I haven't accepted any Windows Updates for over a year.
    2. I don't use Microsoft Office; I use LibreOffice.
    3. I have not encountered any problems / "security issues" and I am no longer inconvenienced.

    • coyote in reply to mickthebrick.

      April 14, 2016 at 1:27 am #

      Fact of computer security: many hosts that are compromised are oblivious to the fact.

      Want a funny example? I had a friend years ago (and I remember when he did this) who made the file server of a specific (which I will not name) security company open to everyone. It was unknown for >= 10 years.

      And Microsoft Office versus Libre is only going to matter for vulnerabilities specifically targeting Microsoft Office documents.

      Eventually your poor practises will bite you but the wound might not even be known to you. I have many examples including government hosts trying to use my primary mail server to relay spam. I know many other admins also have plenty of examples. But I suppose this is all beyond your comprehension – for better or for worse.

    • BowDowntoZod in reply to mickthebrick.

      April 14, 2016 at 2:28 pm #

      Give us your IP and we'll show you how you can be inconvenienced!

  2. coyote

    April 14, 2016 at 1:30 am #

    Martijn certainly has a point but it's still (and I know he knows this) worth remembering that MiTM attacks are quite serious.

    But rather than call this sadlock why not call it gladlock since it's not as serious as was suggested ?

Leave a Reply