Sunday, April 17, 2016

Badlock Microsoft

It is 5 days since this happened but I am not over that. So, today I am doing some venting.

So on April 12, after weeks of hype-building, Microsoft finally announced details about the Badlock vulnerability. Before that, all we knew (just ask Naked Security) was its cute name and Heartbleed-derived logo. Yes I put it on the right since I do not want to focus on it. And then the stampede to patch servers -- both Windows and those running Samba -- began.

Before someone gets excited, beginning on OSX 10.7 Apple decided to use its own SMB stack, smbx, which should not be affected. Of course, "should" is an interesting word.

Back to the topic, Badlock in the Microsoft website is known as MS16-047 and consists of

  • KB3148527 for more detailed (?) description of the issue and
  • KB3149090 for the patch itself.

I too had to worry about patching Windows servers.

The machine in question is a Windows Server 2008 box. Yes, I know, it is ancient (I was going to mention I know places still running Windows 2003 server and XP desktops, but I better not scare anyone) but still supported by Windows. And, that is what I had to play with. More importantly, that is the one I remembered to do a screen capture, which is shown here.

As some of you know, I do not like clickety-click interfaces unless they let me run and query them using scripts. And I do not know how to do that in for that window, so here is how it looks like from the command line (in case you want to check whether a specific patch has been installed):

wmic qfe list brief | Select-String -pattern "3149090"
Security Update               KB3149090               DR-ZAIUS\Administrator  4/12/2016                                       

OK, it does not show all the info on the windows since I used the brief option, but it does verify said KB has been applied. So now we can go back to the dialog box. It shows a url, http://support.microsoft.com/kb/3149090/. When I applied said patch on April 12, the Badlock day, it went nowhere. As in page not found. Now it resolves to https://support.microsoft.com/en-us/kb/3149090

For some of you this might not sound a problem, but they have been announcing that April 12 was the Badlock Day for how long? And when it comes around you can't even go to the site and download the patch (using Windows upgrade worked tough)? This feels a bit like amateur hour to me. Microsoft, you had lots of time to get it ready, so no excuse.

Ok, venting is complete. Back to the normal programming.

Fun Fact

Now, if we jump into our DeLorean (or a more environmentally conscious time machine), we can go back to 2009 and find an interesting post from Microsoft called Credential Relaying Attacks on Integrated Windows Authentication. I could go and make the case that the issues it raises are suspiciously similar to those in badlock, but I would rather not. Instead, I would suggest you to take a look at the suggestions; they might be useful.

No comments: