Clear April 12: Windows, Samba to splat curious 'crucial' Badlock bug • The Register Forums

Tuesday 22nd March 2016 19:21 GMT Yet Another Anonymous coward

It's the end of the world....

>Engineers at Microsoft and the Samba Team are working together

It wasn't too long ago that Microsoft were bragging about having an entire team dedicated to frustrating samba. And Andrew Tridgell replying that he thought it was fun and a challenge

7 3 Reply

Wednesday 23rd March 2016 08:07 GMT Danny 14

Re: It's the end of the world....

As if millions of nas boxes cried out in terror and were suddenly silenced.

9 0 Reply
Wednesday 23rd March 2016 10:50 GMT phuzz

Re: It's the end of the world....

It was eight years ago that Microsoft gave the Samba devs all of the protocol documentation, I assume that all of the various bits of MS got the memo then and stopped trying to mess with Samba, but then who knows. There's probably a department at Microsoft that is still dedicated to bringing down Netscape.

0 0 Reply
1. Wednesday 23rd March 2016 11:04 GMT Tom 7
  
  Re: It's the end of the world....
  
  I'd heard that the Samba devs, who initially reverse engineered SMB effectively gave their documentation to MS by releasing under the GPL and then MS reformatted into Word for a giggle. And it wasn't so much that MS stopped messing Samba about as stopped messing themselves, and their many customers who wouldnt or couldn't upgrade every two years, up.
  
  0 0 Reply

Tuesday 22nd March 2016 19:27 GMT Anonymous Coward

OSX?

IIRC OSX no longer uses Samba due to its anti-drm GPL license - and now uses its own implementation of the SMB protocol - is it affected too?

1 0 Reply

Tuesday 22nd March 2016 23:02 GMT Yet Another Anonymous coward

Re: OSX?

If Microsoft is also working on a fix it is presumably a flaw in the protocol rather than the SAMBA implementation

4 1 Reply
1. Wednesday 23rd March 2016 21:48 GMT Michael Wojcik
  
  Re: OSX?
  
  If Microsoft is also working on a fix it is presumably a flaw in the protocol rather than the SAMBA implementation
  
  That presumption (a weaker version of which appears in the article) may not be correct. There was a study some years ago of the effectiveness of having independent teams develop software to the same specifications, for redundant systems. It found that many of the same implementation errors were made by two or more teams, despite their different approaches. It appears that in non-trivial systems there's generally a class of potential bugs that most developers will introduce.
  
  0 0 Reply

Tuesday 22nd March 2016 19:28 GMT Anonymous Coward

About that name thing.

"...a name, Badlock; a website, and a logo"

Celebrity bugs. How quaint. I guess if that's what it takes to get people to patch, but IT and the fashion industry are looking more and more alike every day. Time for the Spring Collection.

13 2 Reply

Tuesday 22nd March 2016 19:53 GMT JEF_UK

Re: About that name thing.

You missed Apples release yesterday?

0 0 Reply
1. Wednesday 23rd March 2016 03:09 GMT Ole Juul
  
  Re: About that name thing.
  
  You missed Apples release yesterday?
  
  You can't compare this to apples.
  
  6 0 Reply

Tuesday 22nd March 2016 20:21 GMT kryptylomese

Wheatley would make better software than Microsoft.

2 1 Reply

Wednesday 23rd March 2016 08:23 GMT hplasm

Wheatley would make better software than Microsoft

Yes, Dennis Wheatley.

1 0 Reply

Tuesday 22nd March 2016 20:53 GMT PaulAb

Is it safe...

Whine of high speed dental drill..

'Is it safe'

'Is what safe?'

Grinding sound of dental drill followed by a gut-wrenching scream

'Take your time,......Is it safe'

'Is what safe! Is what safe!' comes the bloody gurgled response, blood flows from the mouth.

'Samba, Windows,...Is it safe?'

'Don't be stupid'

'Oh, cup of tea then?'........

'Absolutely,.... my little mad nazi friend'

2 2 Reply

Tuesday 22nd March 2016 22:04 GMT Numen

Solaris 11 has its own implementation as well.

And don't forget all the storage array and appliance manufacturers that use Samba in their products. It's probably going to take a while to get upgrades for them and then get those applied!

2 0 Reply

Tuesday 22nd March 2016 22:09 GMT Anonymous Coward

_{"Solaris 11 has its own implementation as well.}

_{And don't forget all the storage array and appliance manufacturers that use Samba in their products. It's probably going to take a while to get upgrades for them and then get those applied!"}

Many of the older home grade NAS devices will probably never have patches released.

5 0 Reply
1. Tuesday 22nd March 2016 22:50 GMT Paul Crawford
  
  Lets face it, most of said SMB equipment would be a strong and resilient as a wet paper bag if you expose the network to world+dog, samba patch or not.
  
  I'm guessing this is more of a risk in small businesses if a malicious actor can get a machine attached (or p0wn one via email, etc). Nobody should have a network share visiable to world+dog and big organisations/companies will have network switches set up to reject unknown machines being attached internally. I hope?
  
  7 0 Reply
  1. Wednesday 23rd March 2016 00:03 GMT Andrew Jones 2
    
    @paul crawford
    
    When big organisations/companies can't even be bothered to ensure they are storing credentials securely in public facing websites (even after the news being filled with other high profile security breaches) - I don't think we should assume anything (well other than the worst) about the state of play of their internal network......
    
    4 0 Reply
  2. Wednesday 23rd March 2016 08:51 GMT Anonymous Coward
    
    You are still vulnerable to attacks from inside the network. And if a vulnerability allows an attacker who obtained a limited foothold to escalate its privileges (or anyway obtain valuable information), the fact the machine is not Internet facing or the like is just a limited protection. Never believe a firewall or port authentication are enough, and patching the other systems is not really necessary.
    
    5 0 Reply
Wednesday 23rd March 2016 16:25 GMT Infernoz

Yet another reason why of-the-shelf NAS are a bad idea, and why FreeBSD based and actively maintained FreeNAS is a much better idea.

0 0 Reply

Tuesday 22nd March 2016 23:59 GMT Andrew Jones 2

Oh no! We found a bug in some software that is on millions of devices - what do we do?

Step 1) Come up with a catchy media friendly name.

Step 2) Register a web domain

Step 3) Contact the guys who did the Heartbleed website and ask if we can use their design.

Step 4) Contact relevant people and start working on a fix.

I thought there used to be security lists that people subscribed to for this sort of thing - is every vulnerability from this point forward going to have a catchy name and a website?

6 0 Reply

Wednesday 23rd March 2016 21:56 GMT Michael Wojcik

I thought there used to be security lists that people subscribed to for this sort of thing

There still are. BUGTRAQ, for example, is still going strong.

is every vulnerability from this point forward going to have a catchy name and a website?

No. While it seems like there are a lot of these "celebrity bugs", they're really a very small fraction of public disclosures. I've received 14 emails from BUGTRAQ today. Even weekly and monthly summaries of only "major" vulnerability announcements, from various CERTs and the like, are almost entirely non-celebrity bugs.

So while we're certainly seeing more of this sort of thing, it's barely at the level of background noise to anyone who follows common vulnerability-disclosure channels.

Personally, I have no objection to the fad. While it's easy to demonstrate how cynical and cool you are by mocking it (hello, Reg scribes!), it makes it much easier to light a fire under management and inform end users. Someone's creating an easy-to-find description of the problem for non-experts? Oh, the horror.

2 1 Reply

Wednesday 23rd March 2016 03:59 GMT Mikel

Correction

>It sounds like a flaw in the SMB protocol, which Windows and open-source Samba both implement to share files between computers over a network.

SMB is a malware delivery and document publishing platform that some people unwisely use to share files.

2 10 Reply

Wednesday 23rd March 2016 22:04 GMT Michael Wojcik

Re: Correction

SMB is a fairly stupid protocol, but then so is NFS¹. I have decades-old paper copies of the specs for both², so it's not like my opinion is completely uninformed.

There have been some better file-sharing protocols. The Andrew File System was superior, in my book. And there have been worse ones, like AppleTalk. I don't remember enough about IPX and Novell's file-sharing protocol³, or VMS clustering, or any of the others I've seen over the years to say. I don't think any of them was an unalloyed wonder, though.

In general, blaming a protocol for how it's used just displays your ability to commit category errors.

¹NFS has gotten better over the years, but in the process it's also gotten rather stovepiped.

¹Technically, in the case of SMB, what I have is Microsoft Networks: SMB File Sharing Protocol, version 6.0p, published by Microsoft in 1996. As noted above, this is not the complete specification for SMB; for full interoperability with Windows the Samba team had to reverse-engineer a lot of proprietary additions. But it's the core, and at 99 pages a pretty significant chunk in itself.

³Which is kind of ironic, since I work for the company that now owns Novell.

1 0 Reply
1. This post has been deleted by its author

Wednesday 23rd March 2016 08:22 GMT Joe Montana

Home Users

Current versions of Windows, even the workstation versions have SMB enabled by default and make it far too difficult to turn it off, so yes home users could well be affected to as they're running an SMB service even if they don't realise it.

3 0 Reply

Wednesday 23rd March 2016 09:16 GMT cyrus

Re: Home Users

Indeed. Have an upvote. I am often asked to implement a cross-platform server for home users of Windows and Macintosh computers. Samba is an obvious choice and not very difficult to enable on a wide variety of NAS devices or operating systems. Sort of thick to say that this is unlikely to affect home users.

0 0 Reply
Wednesday 23rd March 2016 10:47 GMT Alister

Re: Home Users

Current versions of Windows, even the workstation versions have SMB enabled by default

I'm not sure that's true of anything after Vista, to the best of my knowledge the Windows firewall blocks SMB traffic, and the "File and Printer Sharing" and "Network Discovery" services are disabled by default.

0 0 Reply
1. Wednesday 23rd March 2016 22:07 GMT Michael Wojcik
  
  Re: Home Users
  
  I'm not sure that's true of anything after Vista, to the best of my knowledge the Windows firewall blocks SMB traffic, and the "File and Printer Sharing" and "Network Discovery" services are disabled by default.
  
  Are they? I helped my stepdaughter install Win10¹ a while back, and I'm pretty sure it prompted me to set up a "homegroup" at the end. I declined, but there's every reason to think that many people would go ahead and click through.
  
  Certainly Win7 has always prompted me to set one up on non-domain installs.
  
  ¹She needed a Windows machine for a university course², and as a Mac user didn't have a lot of options.
  
  ²Taught by someone who can't be bothered to learn how to accommodate student OS choice, apparently.
  
  0 0 Reply

Wednesday 23rd March 2016 23:09 GMT Kepler

A shame we can't trust Windows Update anymore

It's a shame we can't trust Windows Update anymore. Before Microsoft started using it to surreptitiously foist mislabeled and vaguely described or altogether misdescribed adware and spyware onto our computers, it was really useful for things like this.

1 0 Reply

Topics

Special Features

Vendor Voice

Resources

COMMENTS

It's the end of the world....

Re: It's the end of the world....

Re: It's the end of the world....

Re: It's the end of the world....

OSX?

Re: OSX?

Re: OSX?

About that name thing.

Re: About that name thing.

Re: About that name thing.

Wheatley would make better software than Microsoft

Is it safe...

Correction

Re: Correction

Home Users

Re: Home Users

Re: Home Users

Re: Home Users

A shame we can't trust Windows Update anymore

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

Want to keep Windows 10 secure? This is how much Microsoft will charge you

Microsoft lifts years-old compatibility hold for Windows 11

Microsoft to use Windows 11 Start menu as a billboard with app ads for Insiders

Open source versus Microsoft: The new rebellion begins

German state ditches Windows, Microsoft Office for Linux and LibreOffice

How a single buck bought bragging rights in the battle to port Windows 95 to NT

Chrome for Windows-Arm laptops officially lands in time for Snapdragon X Elite kit

Windows Format dialog waited decades for UI revamp that never came

Microsoft gets new Windows boss as Start Menu man Parakhin 'to explore new roles'

It's 2024 and North Korea's Kimsuky gang is exploiting Windows Help files

Microsoft defends barging in on Chrome with pop-up ads pushing Bing, GPT-4

Supermium drags Google Chrome back in time to Windows XP, Vista, and 7

About Us

Our Websites

Your Privacy