/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow Us/ciol/media/post_banners/wp-content/uploads/2016/04/ID-100393373.jpg)
Pratima H
INDIA: Another vulnerability expose. Another round of days devoted to dissecting it. Another row of buckets of newspaper ink, or keystrokes poured in generously with every next headline. But is it really another Heartbleed?
Since when did the insectivorous community ditch sprays and started fussing over frills, flounces and whistles; beats us.
If Heartbleed or Venom left you hemorrhaging over the question, the last few days twist the knife further with a new flaw on the block: Badlock.
From being tagged as a crucial security bug in Windows, Samba, to doing the Microsoft patch ritual, the new bug has spread its wings just like one more celebrity bug.
But what’s also itching people this time are questions around the significance level, the unusual-branding-varnish, length of window between ‘opportunity to fix’ and ‘disclosure’; and the time/efforts taken to fix it.
Among many observations this time, the one that springs right at the top is this criticism. There is something odd about the approach deployed with disclosing the vulnerability in a marketing-heavy manner. Some industry watchers have ventured how this is akin to giving more room to hackers.
Sanjay Katkar, CTO, Quick Heal Technologies avers with the notion. “Here I would say they should have waited for the three weeks' window for a fix to be available. Disclosing ahead of the window and marketing the same is something that is not going to help end users but definitely give some juice to hackers out there.”
Then there is the ‘hype’ question, amplified by how Stagefright and Heartbleed flaws were exposed and dealt with. Something that swings depending on whether one sees it from a man-in-the-middle lens or otherwise.
An expert from Symantec explains how Badlock refers to a defect in a security component contained in just about every version of the Windows. “If exploited it could be used to mount a “Man in the Middle” attack, which could allow an attacker to steal sensitive information from an affected computer. It could also be used to mount a denial-of-service attack, to render an affected computer or serve inaccessible. However, in order to exploit it, an attacker would need to already have access to the target’s network, which limits the scope for successful attacks.”
For Katkar, the Badlock bug does look like over hyped, but at the same time he maintains that it does pose a serious threat. “Since it is not a vulnerability which can be exploited for remote code execution the direct impact and threat level does go down and hence many may not take it seriously. At the same time the man-in-the-middle threat for this bug is serious and hence the now that the patch is available one should patch the same.”
Symantec agrees with Microsoft’s assessment, which rated the vulnerability as 'Important', and one step below from 'Critical'. “Nevertheless we would recommend users of Windows and any other affected software to patch immediately.” The Symantec executive recommends.
Katkar dismisses any comparisons with Heartbleed though. “Two things cannot be compared. Although Badlock guys did took the similar approach to publish the bug.”
The expert from Symantec dovetails. “Badlock is much less severe compared to Heartbleed. Heartbleed could be exploited by remote attackers, whereas Badlock can’t.”
Similar or different, it seems like vulnerabilities and bugs will keep hogging a lot of media spotlight and security flash-lights alongwith toolkits and torches as and when something new pops. Would that aid or amputate the concept of crippleware?
Now that’s another question. For another day.