ADVISORY: Badlock Bug means patching needed April 12 for Samba/Windows SMB
Friday, April 1, 2016
This information was sent to U-M IT staff groups on April 1, 2016. It is intended for U-M IT staff who are responsible for university machines that run Windows SMB (file shares) or Samba. Note that machines running Linux and OSX may provide services through Samba.
Summary
An important security bug in Windows and Samba has been discovered, and Microsoft and Samba are working together to address it. This bug is called Badlock. Patches are scheduled to be released on Tuesday, April 12, 2016, to fix the bug. Please plan now to set aside time to apply those patches.
Problem
At this time, the specific vulnerability is still unknown. However, some IT security experts have speculated that the name Badlock indicates the vulnerability may have something to do with resource locking. Others have speculated that it may affect the Server Message Block (SMB). According to the Badlock website, "We are pretty sure that there will be exploits soon after we publish all relevant information."
Affected Versions
Patches are expected to be available for Samba 4.4, Samba 4.3, and Samba 4.2. Affected versions of Windows have not yet been announced.
Action Items
Plan now so you will be prepared to deal with the patches on April 12.
- Analyze the possible impact of applying the patches to your systems. Consider the impact to the people who use your systems.
- Plan when/how you will test and deploy the patches as soon as they are available. According to the Badlock website, the Samba patches will be released around 17:00 Universal Time (UTC), which is 1:00 p.m. Eastern Daylight Time (EDT). That's the time Microsoft typically releases patches on Patch Tuesdays, so Microsoft's patches will likely be released around the same time.
- Be prepared to treat this as an urgent or emergency situation, depending on security risk analysis of information made available on April 12.
- Be prepared for the possibility of needing to apply initial patches and additional updates later.
Information for Users
Until information about the patches is available, we won't know if users will need to take any action. If MiWorkspace machines are affected, MiWorkspace staff take action as soon as possible.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact [email protected].
References
- Badlock Vulnerability Clues Few and Far Between (Threatpost, 3/28/16)
- Bad Luck Over The Upcoming Badlock Vulnerability? (RiskBased Security, 3/23/16)
- The Badlock bug: Start your patch prep today (InfoWorld, 3/25/16)
- Badlock Bug Looms Large as April Deadline Nears (eWeek, 3/23/16)
- Hype Around the Mysterious ‘Badlock’ Bug Raises Criticism (Wired, 3/24/16)