BADLOCK – Are ‘Branded’ Exploits Going Too Far? A: Yes!

BADLOCK – Are ‘Branded’ Exploits Going Too Far?:

So there’s been hype about this big exploit coming, for over a month, before anything was released. It had a name, a website and a logo – and it was called Badlock.
And now it’s out, and it’s more like Sadlock – really a local network DoS against DCE/RPC services on Windows and Linux with some slight chance of pulling off a MiTM. No remote code exeuction, not even privilege escalation.

Microsoft hasn’t even labelled it as critical, merely important.
Crucial? As it was marketed, hardly.

There is a whole list of CVE’s related, none of them are really critical.
Another questionable point is that the person who ‘discovered’ these bugs, is a member of Samba Core Team..and works on Samba.
So it’s like hey, here’s a bunch of vulnerabilities I found in my own software, let’s make a logo for them and give them a name (which doesn’t even really related to the vulns).
So yah there’s nothing really wrong with branding a vulnerability, to get awareness about something critical – get press coverage and get people fixing it. But this? This is a minor bug, with no real major production impact, only exploitable over a LAN which at words allows for a MiTM.

A saw a great quote on went something like:
“All these names for exploits are getting confusing and can be hard to remember/categorise – soon we’ll need to invent some kinda system that assigns numbers to vulnerabilities…”
LOL indeed.
Are these bugs important enough to patch? Oh yes, absolutely. Did they need a month of marketing, a logo and a name to raise awareness? Absolutely not. They could have slid into regular, automated patch updates along with all other ‘important’ patches.
It could have been a interesting story about a whole series of bugs in SAMBA, but it became a huge discussion about the Badlock clownshow. Sad.

(Via Darknet – The Darkside)
I can’t agree with this article more. It’s a great read. I didn’t mean to quote quite so much, but I get a hoot out of the story.
We spoke about this on PVC Security podcast when the story first broke. It looks like most if not all of our predictions came true.

Leave a Reply

Your email address will not be published. Required fields are marked *