Not so bad lock…

The cyberstorm has passed. We survived. Phew,

Couple of quick words about the #badlock bug, because I don’t think it deserves much more at this point.

The world didn’t end, the sky didn’t fall. The details were revealed and patches are out. So, you know.. patch, maybe.

The summary is following:

== Summary:     A man in the middle can intercept any DCERPC
== traffic between a client and a server in order to
== impersonate the client and get the same privileges
== as the authenticated user account. This is
== most problematic against active directory
== domain controllers.

And here are the advisory page links

So basically, the attacker needs to be in position to man-in-the-middle the traffic in your network in order to exploit this flaw . While this is of course serious, elevating yourself to MitM position isn’t completely trivial (assuming “standard enterprise network” practices are in place) and if the attacker should succeed to get that far, they already have foothold and persistence and you’re probably going to have a really bad day anyhow. They don’t really need this bug to be dangerous at that point.

To put some more perspective to this: Microsoft didn’t even bother to classify this as Critical. It’s only classified as Important. As it probably should be.

It seems to me that the Samba developers might have trolled the entire InfoSec industry by hyping this up unnecessarily. Maybe this was just a show to prove how silly vulnerability branding has become. Well played in that case.

The other option is much uglier. They did this to artificially create hype for their own consultancy company. If that is the case then shame on you. Shame on you.

The bottom line is: This sort of waffling erodes trust. Next time the Samba project announces something important, I’m not so sure people will listen. Crying wolf does that to you.

And that’s a real shame. That’s all there really is to say about this debacle.

Go and patch your boxes. Microsoft released several other, critical bulletins today, SANS ISC has the summary here:

Over and out.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.