Badlock patch released today
'Critical bug' in Windows and Samba finally gets fixed
A patch to remediate the Badlock vulnerability is to be released today at 5PM UTC.
According to Badlock.org, patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2. Version 4.1 of Samba has now been discontinued.
"Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release, so that you will not have to make a major version update at the time you need to get the security fix installed," a statement on the website said.
Badlock will also be assigned a CVE following the release of the patches.
Paul Farrington, senior solution architect at Veracode, said that after arguments around the naming of Badlock, he hoped at least that IT administrators across the country are aware of this new vulnerability and are ready to apply this essential patch to computers operating on Windows and Samba.
"The software and application layer continues to pose a significant threat to corporate information. Indeed, in 2014 alone there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen. And we aren't talking about small breaches at companies no one has heard of. Target, JPMorgan Chase, Community Health, and TalkTalk are four examples of companies that have suffered breaches due to vulnerabilities in software," he said.
29/03/2016: IT admin? Brace yourself for Badlock
An alleged critical bug has been discovered in Windows and interoperability suite Samba that could cause headaches for IT admins in mid-April.
The flaw has already been christened Badlock and given its own Heartbleed-like logo, while people have created a website for it and announced a patch release date - 12 April 2016.
But that is about all it has.
So far there's no information as to what kind of bug it is, where it resides, what it does - even what time of day the patch will be released, despite the site's creators claiming the reason for all the hype is to "give a heads up and to get [admins] ready to patch all systems as fast as possible".
But experts have speculated that it is a vulnerability in the Windows Server Message Block, owing to the facts that the site advises "admins and all of you responsible for Windows or Samba server infrastructure" to be ready for the 12 April patch and that Samba is a Server Message Block (SMB) implementation.
The bug was found by Stefan Metzmacher, a member of the international Samba Core Team and employee of systems integrator and Samba services provider, SerNet.
The versions of Samba that will receive the Badlock patch are listed (4.4, 4.3, 4.2) on the site, but there's no detail on which Windows Server versions are vulnerable.
However, Microsoft is not issuing an out-of-band patch for this - the next Patch Tuesday was always going to be on 12 April. Does that mean there is no reason to be worried? No. But there is probably no reason to panic frantically either.
The IT Pro guide to Windows 10 migration
Everything you need to know for a successful transitionDownload now
Managing security risk and compliance in a challenging landscape
How key technology partners grow with your organisationDownload now
Software-defined storage for dummies
Control storage costs, eliminate storage bottlenecks and solve storage management challengesDownload now
6 best practices for escaping ransomware
A complete guide to tackling ransomware attacksDownload now