Just over a month ago, an unusual security announcement went out. Not the disclosure of a vulnerability itself, but rather that a vulnerability was going to be disclosed in the near future.
Details were few — we were told this vulnerability affected Windows and Samba — and the full breadth of the issue would be shared with the world on April 12 2016. To top it all off, the person who discovered the issue, Stefan Metzmacher, had already given the vulnerability its own website and an evocative name: Badlock.
In the meantime, we were all left to wait, wonder, and hope it wouldn’t be too bad. And when April 12 finally arrived, many in the security industry felt that Badlock was a lot of hot air.
You can see a lot of the frustrations around Badlock’s hype expressed perfectly on sadlock.org, no doubt created by an exasperated sysadmin. (There’s a lesson to be learned here for future vulnerability marketing teams – buy similar-sounding domain names, perhaps?)
Does it actually help to name vulnerabilities?
Generally, vulnerabilities are only known by their CVE – a useful but somewhat unwieldy classification. It’s quite uncommon for vulnerabilities to be named and “branded” as Badlock was, but it comes in a line of named vulnerabilities that have made headlines in the past few years.
You might remember a named vulnerability that grabbed the public’s attention in April 2014: Heartbleed, which was a bug in OpenSSL’s cryptography library.
While it wasn’t the first named vulnerability, it was definitely the first to have marketing attached to it. It had an easily-read name (much easier than its official designation as CVE-2014-0160), a website with simple language explaining the problem, and a slick bleeding-heart logo.
The vulnerability itself was also quite serious and a bit unusual. It affected a huge number of websites that many of us use daily, and the general public needed to change their passwords on these websites after the vulnerability was addressed.
If the goal of giving Heartbleed a cool name and logo was to grab a lot of attention by giving the scary issue a shiny veneer, and to reach far beyond those who normally pay attention to such things, it definitely worked.
Heartbleed made headline news across mainstream news and websites that normally wouldn’t ever talk about any kind of security issue. The Heartbleed marketing slick may very well have spurred people to action. (After all, OpenSSL and TLS aren’t exactly easy to explain to the general public.)
But the logo and the website for the Heartbleed vulnerability were also met with healthy skepticism. Was all this logo nonsense really necessary? Were all major vulnerabilities going to need this kind of treatment to get people’s attention?
Google bug hunters found Heartbleed and quietly fed patches for it into the community; the logo and the website came from a Finnish security company who discovered the same bug independently but slightly later. Was the logo more to do with grabbing credit while there was still a chance than it was to do with mobilising the public?
After all, mitigating a vulnerability’s impact generally requires someone like a system administrator to take action. There’s often not much the general public can do when a new vulnerability appears, except perhaps avoiding using certain services until their systems are patched.
Does having a shiny logo for every major vulnerability aid the public in understanding key security concepts, or does it just start unnecessary panic?
We’re hitting peak glamour vulnerability fatigue
Rather predictably, many people are already inured to Named Vulnerability of the Week.
Unless keeping track of these kinds of issues is your bread and butter, it’s not difficult to completely tune out repeated claims such as, “Hey, this is a big one – no really! We named it and everything!”
After all, since Heartbleed, we’ve seen a number of vulnerabilities given a glamorous treatment and a bit of marketing sheen: POODLE, DROWN, Shellshock, GHOST, and yesterday’s ImageTragick. But do you remember hearing much about any of these in the mainstream press? Probably not.
So who exactly are these “glamour” vulnerabilities trying to reach? The sysadmins who already have a huge laundry list of vulnerabilities to stay apprised of to try and patch? The language ever since Heartbleed came and went was that nobody wanted to miss the next Heartbleed.
It’s understandable that some people are cynical about all of this. There’s a rather frustrated Twitter account that recounts how many days it’s been since the last named vulnerability, @infosechype, whose tagline actually is “We make sure you don’t accidentally miss THE NEXT HEARTBLEED ™”
Given the letdown and subsequent backlash against the hype around Badlock, we may very well see some gun-shy vulnerability disclosures staying CVE-only for some time.
Or, perhaps if the cynics are right, it’s an arms race to the bottom.
What do you think?
Anonymous
The way the poll is written makes no sense. It asks “Are you fed up”, but the “Yes” answer implies you’re actually OK with fancy titles, and the “No” answer implies you are in fact fed up with them.
Anna Brading
Oops, sorry about that. It’s now fixed and the answers have been reset. Thanks for pointing it out :)
Laurence Marks
Nothing new here. Don’t you remember Code Red and Nimda from around 2000?
Paul Ducklin
To be fair, those were the names of virulent worms that were named after they were spreading like crazy in the wild and needed people to act against them. Code Red wasn’t a catchy name plus a web page plus a logo that talked up a vulnerability by saying, “Here’s a threat, or it might not be, and, by the way, it’s a secret for now.” I think they are different fish in different kettles.
Anonymous
Anything that has a pre-release marketing statement is just an attention grab, named or not. If you want to refer to a bug as Badlock when details are published, go for it. You found it, you can name it for convenience. If you want to refer to a bug/vulnerability/explot as Badlock three weeks* before announcing it, you just look silly. It’s just a bug! You’re not marketing a new movie or video game! And you’re giving 3 weeks for other people to exploit your bug or steal your credit.
* Assuming linked Sadlock site is correct.
M Thibault
Save the marketing spiel for vulnerabilities where the general public has to take action, like HeartBleed. Otherwise, don’t waste sysadmin time.
Paul Ducklin
Ironically, Heartbleed was where the general public could do very little. It was all about servers coughing up innocent people’s data (perhaps).
anon
Honestly, I want my digital devices to work for me and not the other way around. If there is a proper protocol then each app and OS should invoke it provided I turn on “auto update.” It would also be nice to have an optional freeze mode for compromised features until the update is released.