‘Crucial’ Badlock Vulnerability Affects Windows, Samba

Samba and Microsoft engineers have warned system administrators to expect a critical patch on 12 April

Developers have warned of a mysterious “crucial” bug affecting Windows and Samba, and have told IT administrators to expect a critical patch for the issue on 12 April, the date of Microsoft’s next scheduled update for Windows.

As yet, no details have been released about the nature of the vulnerability, called “Badlock”, other than the versions of Samba to be patched – but developers at Microsoft and the Samba team have nonetheless made an effort to attract as much attention to the issue as possible, taking the unusual step of giving it its own website complete with a logo.

Advance warning

Hacker, programmer, code, laptop © SP-Photo, Shutterstock 2014

“Please get yourself ready to patch all systems,” reads a statement on the Badlock website. “We are pretty sure that there will be exploits soon after we publish all relevant information.”

The bug was discovered by Stefan Metzmacher, a member of the team that develops Samba and an employee of German IT consultancy SerNet.

Metzmacher reported the bug to Microsoft and is working with the company on the fix, according to the Badlock site. Microsoft, Metzmacher and SerNet declined to provide further comment.

In response to criticism of the way Badlock is being publicised, the unnamed Samba and Microsoft engineers behind the site said the advance warning was intended to allow system administrators to prepare themselves. Advance notice is standard for software patches, and the extra publicity is intended to ensure that the bug is fixed as soon as possible, they said, implying that it’s of exceptional seriousness.

“The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released,” they wrote. “Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.”

‘Heartbleed’ comparison

Samba is an open source implementation of the SMB/CIFS networking protocol used by Windows for providing shared access to files, printers, and serial ports and for communications between nodes on a network, and is built into many Unix and Linux systems.

Researchers said Samba versions 4.2, 4.3 and 4.4 would be patched. Support for version 4.1 ended last week and it won’t receive the fix, they warned.

The disclosure method for Badlock is similar to that used for the “Heartbleed” bug in the OpenSSL cryptography library, disclosed in April 2014. Heartbleed was, however, only publicised on the day developers made a patch available.

The Badlock patch developers acknowledged that there’s no broad consensus over whether it’s better to withhold notification until a patch is available or to provide notice in advance to those affected.

“Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available,” they wrote.

Unix affected

Microsoft caused concern for many system administrators last year when it stopped distributing advance descriptions of upcoming monthly patches, limiting access to the service to those who pay for it.

The SANS Institute, an IT security training organisation, advised that the usual monthly patching routines for Windows should cover Badlock, but acknowledged that the advance warning may be helpful for Unix administrators.

“To get ready for April 12th, it may be worth-while to scan your environment for systems with SMB enabled,” said Johannes Ullrich, dean of research at SANS and director of the group’s Internet Storm Center, in an advisory. “This will get you a head start once the patch is released. Due to the high-profile pre-announcement, I expect major Unix versions to release a patch on April 12th as well.”

In spite of the unusual methods used for drawing attention to Heartbleed, the bug was said last September to still be affecting 200,000 connected devices.

Are you a security pro? Try our quiz!