BadLock was revealed a few days, we take a look at what is said on the internet about it.
The vulnerability was discovered by Stefan Metzmacher, a member of the international Samba Core Team, working at SerNet on Samba. He reported the bug to Microsoft and has been working closely with the computing giant to fix the problem.
The research team said that the security vulnerabilities can be mostly categorized as man-in-the-middle or denial of service attacks.
Badlock is an elevation of privilege (EoP) vulnerability, the sort of security hole that can certainly be deadly in conjunction with an RCE exploit.
According to Microsoft, the vulnerability allows an attacker who can listen in to your network traffic to intercept some types of Windows logon, performing what is known as a Man in the Middle (MiTM) attack.
The risks to a Samba Active Directory server including manipulation of secrets such as password hashes or service shutdown in an Active Directory database, or the modification of file or directory permissions.
Three of the vulnerabilities require an attacker to first log on to the system, but if exploited, give the attacker full control of the target system. The fourth is a user-targeted attack where the attacker would convince the user to visit an untrusted webpage that contains embedded fonts.
Definitely a candidate for the award Pwnie for Most Overhyped Bug. Shellshock won last year, which was also very overstated.
The threat posed by Badlock is a lot more nuanced and muted. But it could prove a godsend for rogue insiders or hackers looking to elevate privileges on a targeted network. Sure, it’s no Heartbleed or Goto Fail, but people who say it’s not serious may be sadly mistaken.
The creators of these marketing campaigns claim they want to use them to spread the news about serious bugs. However, these branded flaws are being released by security firms that want visibility themselves, which may lead to a tendency to exaggerate the threat in order to get name recognition.
- OpenSSL Security Advisory, 3rd May 2016: Patch, Patch ASAP!
- Tor in a company network: how to detect and block it?
- Mazar BOT campaign in Denmark and Italy
- The Panama Papers Leak – What You Need To Know
- Frederike Kaltheuner @ #IJF16: understanding predictive privacy harms
- WhatsApp (finally!) enables End-To-End encryption by default