Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug
See you then, SMB file server admins
April 12 – save the date if you're a Windows or Samba file server administrator.
Stefan Metzmacher, a Samba core developer, has discovered what sounds like a pretty bad security bug, and he says it will be patched on that day next month.
The vulnerability already has everything it needs to make a big splash: a name, Badlock; a website, and a logo. Here's what we know from the site:
On April 12th, 2016 a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock. Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.
Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.) Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.
Metzmacher also works at SerNet, a German IT systems integrator, which has blogged about the upcoming disclosure.
It sounds like a flaw in the SMB protocol, which Windows and open-source Samba both implement to share files between computers over a network. Samba can be used on Linux, BSD, OS X and other Unixy-flavored systems to interact with Microsoft-powered machines.
It's possible Redmond and the Samba team separately made the same exploitable implementation error. However, Badlock is more likely some sort of design flaw in the protocol that can be exploited by hackers to do terrible things on various platforms.
Do bear in mind, though, that this is a protocol mostly used on internal networks, and thus Badlock will probably hit organizations rather than normal people at home.
Speculation over the bug is rife on Twitter. "Due to the name 'Badlock,' I'm guessing controllable memory write after file handle invalidated on broken lock over CIFS," said security researcher David Litchfield.
On the one hand, this sort of heads up is appreciated, especially if the security blunder turns out to be easy to exploit. It'll give people time to prepare to roll out updates for their file servers. But if this Badlock bug isn’t really all that massive then Metzmacher et al risk being seen as the little tykes who cried wolf.
We've pinged Metzmacher and Microsoft for more information and will update this story if we have any more details. ®
Sponsored: Becoming a Pragmatic Security Leader