It was the second Tuesday of the month yesterday, and you know what that means… Patch Tuesday!
Microsoft has issued a bundle of security bulletins, detailing fixes for 31 vulnerabilities, including critical remote code execution flaws in Internet Explorer and Microsoft Edge.
And this Patch Tuesday update includes a fix for the Badlock bug - a vulnerability that was pre-announced three weeks ago, with a cutesy name, its own website and (of course) logo.
Initially the Badlock website arguably scared the willies out of sysadmins, just saying there was a “crucial security bug in Windows and Samba” and that affected systems should be updated when the fix was released on April 12.
After online criticism, the site defended its pre-announcement and its “marketing” of the vulnerability:
Why announce Badlock before April 12th, 2016?
The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.
Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.
Yet Another Bug With A Logo?
What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.
It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn’t start with the branding - it started a while ago with everyone working on fixes.
Despite the hoopla, however, it doesn’t appear that Badlock is the most serious of the flaws to be fixed by Microsoft this month. In fact, some have dubbed the man-in-the-middle attack “Sadlock” because it fails to live up to its hype.
1st Law of Vuln Hype: the time between branded announcement and disclosure is inversely proportional to actual impact of the bug. #badlock
— Jan Schaumann (@jschauma) April 12, 2016
Irregular reminder: cybercriminals are most interested in things that scale and can be done remotely. MitM often fails both conditions.
— Martijn Grooten (@martijn_grooten) April 12, 2016
Yes, you should patch affected systems against Badlock, but many will find other vulnerabilities inside Microsoft’s Patch Tuesday bundle that are a higher priority.
A bigger risk than Badlock for most computer users are the flaws that allow malicious attackers to remotely execute malicious code on your computer through boobytrapped webpages and Word documents.
For more details, read Microsoft’s advisory and make sure that your computer is running the latest security patches.