BADLOCK – Are ‘Branded’ Exploits Going Too Far? A: Yes!

BADLOCK – Are ‘Branded’ Exploits Going Too Far?:

So there’s been hype about this big exploit coming, for over a month, before anything was released. It had a name, a website and a logo – and it was called Badlock.

And now it’s out, and it’s more like Sadlock – really a local network DoS against DCE/RPC services on Windows and Linux with some slight chance of pulling off a MiTM. No remote code exeuction, not even privilege escalation.

Microsoft hasn’t even labelled it as critical, merely important.

Crucial? As it was marketed, hardly.

There is a whole list of CVE’s related, none of them are really critical.

Another questionable point is that the person who ‘discovered’ these bugs, is a member of Samba Core Team..and works on Samba.

So it’s like hey, here’s a bunch of vulnerabilities I found in my own software, let’s make a logo for them and give them a name (which doesn’t even really related to the vulns).

So yah there’s nothing really wrong with branding a vulnerability, to get awareness about something critical – get press coverage and get people fixing it. But this? This is a minor bug, with no real major production impact, only exploitable over a LAN which at words allows for a MiTM.

A saw a great quote on Twitter..it went something like:

“All these names for exploits are getting confusing and can be hard to remember/categorise – soon we’ll need to invent some kinda system that assigns numbers to vulnerabilities…”

LOL indeed.

Are these bugs important enough to patch? Oh yes, absolutely. Did they need a month of marketing, a logo and a name to raise awareness? Absolutely not. They could have slid into regular, automated patch updates along with all other ‘important’ patches.

It could have been a interesting story about a whole series of bugs in SAMBA, but it became a huge discussion about the Badlock clownshow. Sad.

(Via Darknet – The Darkside)

I can’t agree with this article more. It’s a great read. I didn’t mean to quote quite so much, but I get a hoot out of the story.

We spoke about this on PVC Security podcast when the story first broke. It looks like most if not all of our predictions came true.