The New "What did you do with your Z today" (with off topic replies) XXIII

On April 12th, 2016, a crucial security bug in Windows and Samba will be disclosed. We call it: Badlock.

Engineers at Microsoft and the Samba Team are working together to get this problem fixed. Patches will be released on April 12th.

Admins and all of you responsible for Windows or Samba server infrastructure: Mark the date. (Again: It's April 12th, 2016.)

Please get yourself ready to patch all systems on this day. We are pretty sure that there will be exploits soon after we publish all relevant information.

Q&A

Which Samba versions will get patches?

Patches will be available for Samba 4.4, Samba 4.3 and Samba 4.2 on April 12th.

With the release of Samba 4.4.0 on March 22nd the 4.1 release branch has been marked DISCONTINUED.

Please be aware that Samba 4.1 and below are out of support, even for security fixes. We strongly advise users to upgrade to a supported release, so that you will not have to make a major version update at the time you need to get the security fix installed.

While there will be no official security releases for Samba 4.1 and below published by the Samba Team or SerNet (for EnterpriseSAMBA) some vendors probably will backport the patches.

When on April 12th will the patches be released?

Patches will be released around 17:00 UTC. That's about the same time the Microsoft Patch Tuesday occurs.

Is there a CVE for Badlock?

Yes. Badlock has an assigned CVE. It will be listed here after the patches are released.

Why announce Badlock before April 12th, 2016?

The main goal of this announcement is to give a heads up and to get you ready to patch all systems as fast as possible and have sysadmin resources available on the day the patch will be released. Vendors and distributors of Samba are being informed before a security fix is released in any case. This is part of any Samba security release process.

Weighting to the respective interests of advance warning and utmost secrecy we chose to warn you beforehand, so that everyone has a chance to be ready to install the fixes as soon as they are available. Once the patch is released to the public, it will point to attack vectors and exploits will be in the wild in no time.

Yet Another Bug With A Logo?

What branded bugs are able to achieve is best said with one word: Awareness. Furthermore names for bugs can serve as unique identifiers, other than different CVE/MS bug IDs.

It is a thin line between drawing attention to a severe vulnerability that should be taken seriously and overhyping it. This process didn't start with the branding - it started a while ago with everyone working on fixes.

Who found the Badlock Bug?

Badlock was discovered by Stefan Metzmacher. He's a member of the international Samba Core Team and works at SerNet on Samba. He reported the bug to Microsoft and has been working closely with them to fix the problem.

Where to find more information?

This page will get updates regularly. Please come back for more information.