Don’t Believe the (Vulnerability) Hype
Are vulnerability discoveries always as critical as the hype around them may suggest?
The technology industry is the silicon-and-solder manifestation of the live fast and die young ethos. Start-ups, ideas, and products burst onto the scene, burn brightly and consume vast quantities of cash and media attention, and then disappear, living on only in sad eBay listings and Where Are They Now pieces.
This arc has shown up all over the industry in a variety of forms for decades, and one of the more recent examples is the massive hype cycle surrounding vulnerabilities. This week we saw the unveiling of Badlock, the latest in a long line of vulnerabilities with clever names, dedicated web sites, and often, logos. The researcher who discovered Badlock began dropping hints about it several weeks ago without revealing the actual details. Eventually, we learned that it was a bug in Samba and were told it was really serious.
But when the details of the Badlock flaw were published on Tuesday, security experts were somewhat underwhelmed, to put it politely. The vulnerability can be used for man-in-the-middle attacks or denial-of-service attacks in some cases, but it did not fall into the Internet-killing category that some observers were concerned that it might. That’s a relief in a lot of ways, obviously, but it also came as a letdown to some people, given the hype surrounding the disclosure.
The idea of hyping up vulnerabilities isn’t a new one. It’s been done for years, in a lot of different ways, but the difference now is that it is seen as a marketing opportunity. It’s not enough to spend weeks or months finding and researching a new vulnerability, report it to the affected vendors, and then wait for the patch to be pushed to users. Now, you need an art director, a creative team to produce an appropriately punny name, and a hype man to start building buzz about the bug. It’s all part of the package.
There’s a lot to be said for raising awareness about serious vulnerabilities. Educating enterprises and consumers about bugs and urging them to patch, especially when there’s a serious risk of attack, is part of the responsibility of the security industry. When we have information that can protect people, there’s a responsibility to get it to them. And this process can work well. Take the case of Heartbleed, the vulnerability in OpenSSL that emerged in 2014. The bug was quite serious, allowing attackers to steal secret keys for certificates and a lot of other sensitive data, and it affected a huge number of systems. The researchers who discovered it notified the OpenSSL team, worked on the fix, and then they put together a detailed list of what was affected, how, and how to defend against it.
That worked. People realized how serious the problem was and they patched. Sure, the bug had a name and a sort of creepy logo, but that was beside the point. At least for that one. Then came the inevitable followers, the not-so-serious vulnerabilities that were polished to a high gloss and given clever names in order to... what? Raise awareness? Maybe. Make money? Probably. It became so silly that last year researchers at Duo Security who had found a bug in MySQL put together a parody site and named the vulnerability BACKRONYM. This was the logical conclusion of this story, and it should’ve ended there.
But it hasn’t. And that may end up being bad for users in the long run. People tend to get fatigued by this stuff rather quickly, and the attention span of the Internet is shrinking by the second. So don’t be surprised if users start tuning these announcements out and ignoring the constant drumbeat of Next Big Bug.