This week it was OMIGOD, a set of flaws in the OMI agent that Microsoft quietly installs on a lot of Linux VMs in Azure when you switch on certain monitoring and management features. The worst of them lets an unauthenticated request run as root, and the agent gets deployed without most people ever choosing to deploy it. That last part is the bit that makes it nasty: you cannot patch an agent you did not know you had.
I am not going to do a full write up of the mechanics, others have done that well. I want to talk about the logo.
Because OMIGOD has a name, and a name is doing real work here. Ever since Heartbleed back in 2014, the serious vulnerabilities come with branding. A pronounceable name, sometimes a logo, occasionally a dedicated website. There is a reflexive sneer in our industry about this, the "it's just marketing, real bugs don't need a mascot" line, and I used to make it too. I have come round.
Here is what changed my mind. I have sat in the meeting where you try to get a CVE patched. "CVE-2021-38647" gets a nod and a ticket and a place in next sprint's grooming, maybe. "OMIGOD, unauthenticated root on agents you didn't know Azure installed" gets someone actually checking, that afternoon. The name is not for the engineers who already understand the bug. It is for everyone above and around them who has to decide whether this jumps the queue. A memorable name is a priority signal that survives being repeated by someone who does not read the advisory.
There is a cost, of course. Branding optimises for memorability, not severity, so the scary-sounding ones get patched in a panic and the boring-sounding catastrophes get ignored. Not every named bug deserves the attention it gets, and plenty of unnamed ones deserve far more. The signal is loud but noisy.
OMIGOD is a fair one though. Silent installation, root, cloud scale, trivial to trigger. If a logo is what gets people to go and check whether they are running OMI before someone else checks for them, I will take the logo.
My evening, predictably, was spent finding out which of our VMs had the agent and how to update it. The honest answer to "do you have OMI installed" turned out to be "more of them than you'd like", which is rather the whole point of the story.