It seems the latest trend in vulnerability disclosure is to spend time branding your vulnerabilities. Heartbleed, Shell Shock, Ghost - all of these vulnerabilities had trendy web pages, catchy names and hard hitting logos.
But is it really worth the effort? The first branded vulnerability - Heartbleed - received massive attention in the general media, and for good reason. Heartbleed was a serious vulnerability that had severe consequences, revealing information that was supposed to be kept private including personal data, and even credit card information. The media attention that this vulnerability received was warranted and useful.
The latest branded vulnerability, however, isn't quite what it was hyped up to be. Dubbed Badlock, it consists of a series of vulnerabilities in server side software that can result in Man in the Middle (MITM) or Denial of Service (DoS) attacks against a specific set of services. This is certainly not a good thing - but it's not the worst. It doesn't give attackers a way to actually get in to a target system, and as such an attacker would have to already be present within a private network to exploit it. On top of that, there is no information disclosure or widely exploitable hole that would be of concern to servers running on the internet.
So - why all the press? Sure it's not a great thing, but there are plenty of far more damaging vulnerabilities out there that haven't received half as much attention as Badlock has. If you're going to stand on the rooftops and cry wolf, you'd better have a good reason for doing so - and this, unfortunately, is not a good reason. All this does is dilute the effect that these branded vulnerabilities have, and it won't be long before the general public is tired of hearing of them.
I'm not saying that branded vulnerabilities are a bad thing, but we should be far more careful in which vulnerabilities we direct attention to so that the ones that really deserve the attention can get it.
On April 12th, 2016 Badlock, a crucial security bug in Windows and Samba was disclosed. Samba 4.4.2, 4.3.8 and 4.2.11 Security Releases are available. Please update your systems. We are pretty sure that there will be exploits soon. Engineers at Microsoft and the Samba Team worked together during the past months to get this problem fixed.