back to article Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug

April 12 – save the date if you're a Windows or Samba file server administrator. Stefan Metzmacher, a Samba core developer, has discovered what sounds like a pretty bad security bug, and he says it will be patched on that day next month. The vulnerability already has everything it needs to make a big splash: a name, Badlock; …

  1. Yet Another Anonymous coward Silver badge

    It's the end of the world....

    >Engineers at Microsoft and the Samba Team are working together

    It wasn't too long ago that Microsoft were bragging about having an entire team dedicated to frustrating samba. And Andrew Tridgell replying that he thought it was fun and a challenge

    1. Danny 14

      Re: It's the end of the world....

      As if millions of nas boxes cried out in terror and were suddenly silenced.

    2. phuzz Silver badge

      Re: It's the end of the world....

      It was eight years ago that Microsoft gave the Samba devs all of the protocol documentation, I assume that all of the various bits of MS got the memo then and stopped trying to mess with Samba, but then who knows. There's probably a department at Microsoft that is still dedicated to bringing down Netscape.

      1. Tom 7

        Re: It's the end of the world....

        I'd heard that the Samba devs, who initially reverse engineered SMB effectively gave their documentation to MS by releasing under the GPL and then MS reformatted into Word for a giggle. And it wasn't so much that MS stopped messing Samba about as stopped messing themselves, and their many customers who wouldnt or couldn't upgrade every two years, up.

  2. Anonymous Coward
    Anonymous Coward

    OSX?

    IIRC OSX no longer uses Samba due to its anti-drm GPL license - and now uses its own implementation of the SMB protocol - is it affected too?

    1. Yet Another Anonymous coward Silver badge

      Re: OSX?

      If Microsoft is also working on a fix it is presumably a flaw in the protocol rather than the SAMBA implementation

      1. Michael Wojcik Silver badge

        Re: OSX?

        If Microsoft is also working on a fix it is presumably a flaw in the protocol rather than the SAMBA implementation

        That presumption (a weaker version of which appears in the article) may not be correct. There was a study some years ago of the effectiveness of having independent teams develop software to the same specifications, for redundant systems. It found that many of the same implementation errors were made by two or more teams, despite their different approaches. It appears that in non-trivial systems there's generally a class of potential bugs that most developers will introduce.

  3. Anonymous Coward
    Anonymous Coward

    About that name thing.

    "...a name, Badlock; a website, and a logo"

    Celebrity bugs. How quaint. I guess if that's what it takes to get people to patch, but IT and the fashion industry are looking more and more alike every day. Time for the Spring Collection.

    1. JEF_UK

      Re: About that name thing.

      You missed Apples release yesterday?

      1. Ole Juul

        Re: About that name thing.

        You missed Apples release yesterday?

        You can't compare this to apples.

  4. kryptylomese

    Wheatley would make better software than Microsoft.

    1. hplasm
      Devil

      Wheatley would make better software than Microsoft

      Yes, Dennis Wheatley.

  5. PaulAb

    Is it safe...

    Whine of high speed dental drill..

    'Is it safe'

    'Is what safe?'

    Grinding sound of dental drill followed by a gut-wrenching scream

    'Take your time,......Is it safe'

    'Is what safe! Is what safe!' comes the bloody gurgled response, blood flows from the mouth.

    'Samba, Windows,...Is it safe?'

    'Don't be stupid'

    'Oh, cup of tea then?'........

    'Absolutely,.... my little mad nazi friend'

  6. Numen
    Unhappy

    Solaris 11 has its own implementation as well.

    And don't forget all the storage array and appliance manufacturers that use Samba in their products. It's probably going to take a while to get upgrades for them and then get those applied!

    1. Anonymous Coward
      Childcatcher

      "Solaris 11 has its own implementation as well.

      And don't forget all the storage array and appliance manufacturers that use Samba in their products. It's probably going to take a while to get upgrades for them and then get those applied!"

      Many of the older home grade NAS devices will probably never have patches released.

      1. Paul Crawford Silver badge

        Lets face it, most of said SMB equipment would be a strong and resilient as a wet paper bag if you expose the network to world+dog, samba patch or not.

        I'm guessing this is more of a risk in small businesses if a malicious actor can get a machine attached (or p0wn one via email, etc). Nobody should have a network share visiable to world+dog and big organisations/companies will have network switches set up to reject unknown machines being attached internally. I hope?

        1. Andrew Jones 2

          @paul crawford

          When big organisations/companies can't even be bothered to ensure they are storing credentials securely in public facing websites (even after the news being filled with other high profile security breaches) - I don't think we should assume anything (well other than the worst) about the state of play of their internal network......

        2. Anonymous Coward
          Anonymous Coward

          You are still vulnerable to attacks from inside the network. And if a vulnerability allows an attacker who obtained a limited foothold to escalate its privileges (or anyway obtain valuable information), the fact the machine is not Internet facing or the like is just a limited protection. Never believe a firewall or port authentication are enough, and patching the other systems is not really necessary.

    2. Infernoz Bronze badge

      Yet another reason why of-the-shelf NAS are a bad idea, and why FreeBSD based and actively maintained FreeNAS is a much better idea.

  7. Andrew Jones 2

    Oh no! We found a bug in some software that is on millions of devices - what do we do?

    Step 1) Come up with a catchy media friendly name.

    Step 2) Register a web domain

    Step 3) Contact the guys who did the Heartbleed website and ask if we can use their design.

    Step 4) Contact relevant people and start working on a fix.

    I thought there used to be security lists that people subscribed to for this sort of thing - is every vulnerability from this point forward going to have a catchy name and a website?

    1. Michael Wojcik Silver badge

      I thought there used to be security lists that people subscribed to for this sort of thing

      There still are. BUGTRAQ, for example, is still going strong.

      is every vulnerability from this point forward going to have a catchy name and a website?

      No. While it seems like there are a lot of these "celebrity bugs", they're really a very small fraction of public disclosures. I've received 14 emails from BUGTRAQ today. Even weekly and monthly summaries of only "major" vulnerability announcements, from various CERTs and the like, are almost entirely non-celebrity bugs.

      So while we're certainly seeing more of this sort of thing, it's barely at the level of background noise to anyone who follows common vulnerability-disclosure channels.

      Personally, I have no objection to the fad. While it's easy to demonstrate how cynical and cool you are by mocking it (hello, Reg scribes!), it makes it much easier to light a fire under management and inform end users. Someone's creating an easy-to-find description of the problem for non-experts? Oh, the horror.

  8. Mikel

    Correction

    >It sounds like a flaw in the SMB protocol, which Windows and open-source Samba both implement to share files between computers over a network.

    SMB is a malware delivery and document publishing platform that some people unwisely use to share files.

    1. Michael Wojcik Silver badge

      Re: Correction

      SMB is a fairly stupid protocol, but then so is NFS1. I have decades-old paper copies of the specs for both2, so it's not like my opinion is completely uninformed.

      There have been some better file-sharing protocols. The Andrew File System was superior, in my book. And there have been worse ones, like AppleTalk. I don't remember enough about IPX and Novell's file-sharing protocol3, or VMS clustering, or any of the others I've seen over the years to say. I don't think any of them was an unalloyed wonder, though.

      In general, blaming a protocol for how it's used just displays your ability to commit category errors.

      1NFS has gotten better over the years, but in the process it's also gotten rather stovepiped.

      1Technically, in the case of SMB, what I have is Microsoft Networks: SMB File Sharing Protocol, version 6.0p, published by Microsoft in 1996. As noted above, this is not the complete specification for SMB; for full interoperability with Windows the Samba team had to reverse-engineer a lot of proprietary additions. But it's the core, and at 99 pages a pretty significant chunk in itself.

      3Which is kind of ironic, since I work for the company that now owns Novell.

      1. This post has been deleted by its author

  9. Joe Montana

    Home Users

    Current versions of Windows, even the workstation versions have SMB enabled by default and make it far too difficult to turn it off, so yes home users could well be affected to as they're running an SMB service even if they don't realise it.

    1. cyrus

      Re: Home Users

      Indeed. Have an upvote. I am often asked to implement a cross-platform server for home users of Windows and Macintosh computers. Samba is an obvious choice and not very difficult to enable on a wide variety of NAS devices or operating systems. Sort of thick to say that this is unlikely to affect home users.

    2. Alister

      Re: Home Users

      Current versions of Windows, even the workstation versions have SMB enabled by default

      I'm not sure that's true of anything after Vista, to the best of my knowledge the Windows firewall blocks SMB traffic, and the "File and Printer Sharing" and "Network Discovery" services are disabled by default.

      1. Michael Wojcik Silver badge

        Re: Home Users

        I'm not sure that's true of anything after Vista, to the best of my knowledge the Windows firewall blocks SMB traffic, and the "File and Printer Sharing" and "Network Discovery" services are disabled by default.

        Are they? I helped my stepdaughter install Win101 a while back, and I'm pretty sure it prompted me to set up a "homegroup" at the end. I declined, but there's every reason to think that many people would go ahead and click through.

        Certainly Win7 has always prompted me to set one up on non-domain installs.

        1She needed a Windows machine for a university course2, and as a Mac user didn't have a lot of options.

        2Taught by someone who can't be bothered to learn how to accommodate student OS choice, apparently.

  10. Kepler
    Windows

    A shame we can't trust Windows Update anymore

    It's a shame we can't trust Windows Update anymore. Before Microsoft started using it to surreptitiously foist mislabeled and vaguely described or altogether misdescribed adware and spyware onto our computers, it was really useful for things like this.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like