After the burst of the bug bubble, I’m left wondering who at SerNet decided the Badlock marketing campaign was a good idea and why. It certainly was not, as claimed, to raise awareness for a critical bug that needed immediate patching.
Microsoft gave the vulnerability a security ranking of “important” but not critical. In fact, it would be extremely difficult for cybercriminals to exploit the Badlock vulnerability. The attacker would need to be already inside the network and past any security mechanisms. He must be in a place in which he can sniff and intercept the traffic and would need administrative credentials to access resources required for network interception from inside the network. So if this was to be used by anyone soon, it could only be by those that already reside in a very specific network and have remote access controls.
SerNet’s hype of Badlock hurts honest efforts to make companies and their information systems more secure. The awkward announcement three weeks ago, and the following flurry of speculation, took attention away from dozens of truly severe vulnerabilities, all needing the attention of IT teams. For example, this campaign actually masked a much more critical and important vulnerability that also appeared in today’s patch from Microsoft. The Hyper-V Remote-Code-Execution (RCE) vulnerability, which allows execute code from Guest to Host, is one of the more important vulnerabilities to surface in the last few months and has much greater impact on organizations around the world.
Unfortunately, Badlock is only an extreme example of a new trend. More and more companies use their findings for marketing reasons. This is not a problem if done responsibly, but SerNet exploited a real crisis that IT teams are facing. They simply cannot keep up with the sheer amount of patches – the gap is just getting bigger and bigger. Making the right choice about which patches to prioritize can be critical; being misled by those crying wolf can do real harm.
The case of Badlock sheds light again on the “pain of patching” and the endless “patch me if can” syndrome. Let’s face it – patches stop exploitations of vulnerabilities already known. The lifeblood of modern cybercrime is zero-days. Taking these two factors into account – patching gaps and zero-days – it becomes clear that prevention techniques are the only way to break this vicious cycle. Prevention is essentially pre-patching your system before a vulnerability is discovered by hackers.
Morphisec approach to endpoint security, is exactly doing this: Morphisec’s Moving Target Defense makes sure that no hacker can exploit vulnerabilities in applications on your Windows-based computer. It prevents all zero-days and advanced attacks, without requiring prior knowledge of the threat form, type or behavior.