So there’s been hype about this big exploit coming, for over a month, before anything was released. It had a name, a website and a logo – and it was called Badlock.
And now it’s out, and it’s more like Sadlock – really a local network DoS against DCE/RPC services on Windows and Linux with some slight chance of pulling off a MiTM. No remote code exeuction, not even privilege escalation.
Microsoft hasn’t even labelled it as critical, merely important.
Crucial? As it was marketed, hardly.
There is a whole list of CVE’s related, none of them are really critical.
Another questionable point is that the person who ‘discovered’ these bugs, is a member of Samba Core Team..and works on Samba.
So it’s like hey, here’s a bunch of vulnerabilities I found in my own software, let’s make a logo for them and give them a name (which doesn’t even really related to the vulns).
So yah there’s nothing really wrong with branding a vulnerability, to get awareness about something critical – get press coverage and get people fixing it. But this? This is a minor bug, with no real major production impact, only exploitable over a LAN which at words allows for a MiTM.
A saw a great quote on Twitter..it went something like:
“All these names for exploits are getting confusing and can be hard to remember/categorise – soon we’ll need to invent some kinda system that assigns numbers to vulnerabilities…”
Are these bugs important enough to patch? Oh yes, absolutely. Did they need a month of marketing, a logo and a name to raise awareness? Absolutely not. They could have slid into regular, automated patch updates along with all other ‘important’ patches.
It could have been a interesting story about a whole series of bugs in SAMBA, but it became a huge discussion about the Badlock clownshow. Sad.
(Via Darknet – The Darkside)
I can’t agree with this article more. It’s a great read. I didn’t mean to quote quite so much, but I get a hoot out of the story.
We spoke about this on PVC Security podcast when the story first broke. It looks like most if not all of our predictions came true.