Badlock flaw is patched, but failed to live up to the security hype

Some accused the developer who found the flaw of ramping up publicity for the bug, a month ahead of its planned patching.
Written by Zack Whittaker, Contributor
(Image: Badlock/screenshot)

Badlock, the latest security flaw with a catchy name and a logo, has been fixed, but not without stirring the controversy pot.

Samba, an open-source software that connects Linux and Unix servers and Windows PCs over a network, has patched seven separate vulnerabilities, which would allow an attacker to conduct man-in-the-middle or denial-of-service attacks.

The team said that Samba versions 3.6 and later were affected, but only released fixes on its website for version 4.2 and later.

Collectively, the so-called "Badlock" vulnerability, would allow an attacker to listen in on traffic, trigger a session downgrade, and hijack a session. Simply put, an attacker may be able to reveal user passwords and other sensitive information on an affected server.

The flaw specifically affects Windows servers running Samba, but also affects almost every version of Linux, which Samba is bundled with.

Microsoft addressed the "important" flaw in a patch released on Tuesday as part of its scheduled monthly release of security fixes, but fell shy of rating the issue at the highest-rated "critical" level. A spokesperson said users who apply April updates are "protected automatically."

Josh Bressers, security strategist at Red Hat, one of the Linux distributions affected by the flaw, said in an email that Badlock was "one more potentially dangerous exploit that was identified and addressed by the open source community."

But not everyone thought the bug was as serious as others claimed it was.

Karl Sigler, threat intelligence manager at security firm Trustwave, said in a blog post on Tuesday that the three-week lead time ahead of the disclosure was a key indicator of what was to come.

"Well, we now know the details and I'm guessing most people will consider Badlock a bust," said Sigler.

"This is certainly a concern and admins should patch their systems as early as possible. However I can't say that this vulnerability rises to any level that deserves the focus that a dedicated website and three weeks of buildup have given Badlock," he said.

Little was known about the security flaw until today, but it nevertheless drew attention -- if not for the wrong reasons.

The preemptive publicity push has drawn ire from the security community, amid accusations that the latest bug could allow some to exploit the flaw ahead of its scheduled patching in three weeks time.

Stefan Metzmacher, a SerNet employee, found the flaw, but is also named in hundreds of Samba source code files, dating back as far as 2002, according to one analysis.

The close connection between Metzmacher's development work and the discovery of the flaw have led some to accuse the company of trying to profit from what was effectively fixing their own code.

Metzmacher did not respond to questions when we reached out.

Editorial standards