Microsoft patches Badlock, but doesn’t call it critical
Microsoft just released several security bulletins, with six marked as critical and seven categorized as important. The biggest surprise (or disguise) came in the patch marked only as important titled “Security Update for SAM and LSAD Remote Protocols” – this refers to the vulnerability more commonly known as Badlock.
As it turns out Badlock was not directly part of an exploit in Server Message Block (SMB) as original anticipated but rather part of Microsoft authentication framework, Security Account Manager (SAM) and Local Security Authority (LSAD).
Microsoft also designated this patch as Important as opposed to Critical. Suffice to say that the exploit did not necessarily live up to the hype and may put people at ease. These authentication protocols are part of SMB so this does still pertain to concerns regarding Windows file servers.
The majority of IT professionals suggest keeping SMB behind the firewall and have been doing so for years, but unfortunately, there are firms that do not adhere to this although they are few and far between. Regardless, many attackers will use every tool in their toolbox to get into a network so there’s a good chance that Badlock will be used as a downstream vector. For instance, an attacker can own a workstation via public Wi-Fi and then wait until that device is in a corporate environment.
Once it detects a file server, it could inject payload into the server via Badlock or simply use it to download corporate data. It’s likely that Badlock could circumvent antivirus until all vendors have caught up, assuming, of course that a company’s antivirus is up to date and functional.
In general, we now live in a world where exploits have public relations teams and trendy logos. This will not be the last one we see, but the question is – what other vulnerabilities are lurking out there? Beyond patching systems when Microsoft releases updates, it’s just as important to install a functional intrusion detection/prevention system to combat against zero day attacks.
IDS/IPS is merely one layer that is needed, of course. As any good security engineer will tell you, a fully deployed stack of internal and external security application is your best and truly only real defense.