Badlock patch released today

'Critical bug' in Windows and Samba finally gets fixed

A patch to remediate the Badlock vulnerability is to be released today at 5PM UTC.

According to, patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2. Version 4.1 of Samba has now been discontinued.

"Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release, so that you will not have to make a major version update at the time you need to get the security fix installed," a statement on the website said.

Badlock will also be assigned a CVE following the release of the patches. 

Advertisement - Article continues below

Paul Farrington, senior solution architect at Veracode, said that after arguments around the naming of Badlock, he hoped at least that IT administrators across the country are aware of this new vulnerability and are ready to apply this essential patch to computers operating on Windows and Samba.

"The software and application layer continues to pose a significant threat to corporate information. Indeed, in 2014 alone there were eight major breaches through the application layer, resulting in more than 450 million personal or financial records stolen. And we aren't talking about small breaches at companies no one has heard of. Target, JPMorgan Chase, Community Health, and TalkTalk are four examples of companies that have suffered breaches due to vulnerabilities in software," he said.

29/03/2016: IT admin? Brace yourself for Badlock

An alleged critical bug has been discovered in Windows and interoperability suite Samba that could cause headaches for IT admins in mid-April.

The flaw has already been christened Badlock and given its own Heartbleed-like logo, while people have created a website for it and announced a patch release date - 12 April 2016.

But that is about all it has.

So far there's no information as to what kind of bug it is, where it resides, what it does - even what time of day the patch will be released, despite the site's creators claiming the reason for all the hype is to "give a heads up and to get [admins] ready to patch all systems as fast as possible".

But experts have speculated that it is a vulnerability in the Windows Server Message Block, owing to the facts that the site advises "admins and all of you responsible for Windows or Samba server infrastructure" to be ready for the 12 April patch and that Samba is a Server Message Block (SMB) implementation.

The bug was found by Stefan Metzmacher, a member of the international Samba Core Team and employee of systems integrator and Samba services provider, SerNet.

The versions of Samba that will receive the Badlock patch are listed (4.4, 4.3, 4.2) on the site, but there's no detail on which Windows Server versions are vulnerable.

Advertisement - Article continues below

However, Microsoft is not issuing an out-of-band patch for this - the next Patch Tuesday was always going to be on 12 April. Does that mean there is no reason to be worried? No. But there is probably no reason to panic frantically either.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now



Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Policy & legislation

Boris Johnson suggests UK will side with US over Huawei exclusion

5 Dec 2019