Slashdot Mirror

← Back to Stories (view on slashdot.org)

Company Behind Badlock Disclosure Says Pre-Patch Hype Is Good Marketing (csoonline.com)

Posted by timothy on from the good-for-some-people dept.

itwbennett writes: A new vulnerability in Windows and Samba, called Badlock, is set for disclosure on April 12, according to Badlock.org. Yes, this vulnerability has its own website and logo and therein lies the problem. In a Twitter exchange with CSO Online's Steve Ragan, Johannes Loxen, who registered the Badlock domain, called the pre-patch marketing a win-win, saying, 'A serious bug gets attention and marketing for us and our open source business is a side effect for us of course.' As Ragan notes, 'PR-driven vulnerability disclosure isn't something new,' and 'can be useful sometimes.' Marketing around Heartbleed, for example, 'generated tons of news coverage and quick reaction by administrators who worked long hours to patch vulnerable systems. There have been several since Heartbleed,' says Ragan. But in the case of Badlock, a 20-day lead time gives criminals plenty of time to tear Samba apart.

3 of 79 comments (clear)

  1. Let's make some educated guesses. by Anonymous Coward · · Score: 5, Insightful

    Let's make some educated guesses about this problem.

    1. It is a protocol-related bug, since it affects two different implementations.

    2. It involves file locking, hence the name.

    3. There might very well be some ruthless self-promotion going on here.

    1. Re:Let's make some educated guesses. by phayes · · Score: 5, Informative

      Tridge has very publicly stated that the hard part in making Samba work was not in following Microsoft's specifications but identifying and replicating the bugs in Microsoft's implementations.

      --
      Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
  2. Re:Quoted line about lead time is stupid by omnichad · · Score: 4, Insightful

    I would imagine that Windows 7 and 8 will not get patched at all (and certainly not XP or Vista)

    XP won't get a patch because it's not supported (unless this affects interoperability between patched and unpatched - then they might be motivated).

    But this is a security update. Vista is supported until next April. They're going to have a very hard time convincing the public that they shouldn't patch that. And Windows 7 is far more under the umbrella than Vista.

    Heartbleed got a patch for XP despite it being out of support entirely.