Microsoft Squashes Bluetooth Bug

Office 365 Vs. Google Apps: Top 10 Enterprise Concerns

On Tuesday, Microsoft released four security bulletins with patches for 22 vulnerabilities, including bugs in Microsoft Visio, Windows Client/Server, and the Windows kernel.

Only one of the 22 vulnerabilities, however, was rated as "critical." It involves a bug in the Bluetooth stack that an attacker could exploit by sending specially crafted packets to a PC within Bluetooth range--typically, about 30 feet--to take full control of the machine. The vulnerability is present only in Windows 7 and Vista.

"We encourage all customers to apply this bulletin first, before deploying the rest of our July updates, as soon as possible," according to a Microsoft Security Response Center blog post. It notes that Windows users with Automatic Update enabled will get the fix automatically.

Who's most at risk from the Bluetooth vulnerability? "Road warriors who have a Bluetooth device such as [a] mouse or headset connected, and who use their laptops at airports, coffee shops, book stores, or other public places where attackers can get within range without causing suspicion," said Amol Sarwate, vulnerability labs manager for Qualys, in a blog post. "As a workaround, users can temporarily disable Bluetooth. The vulnerability cannot be exploited over the wire, for example by visiting a malicious website or opening a Word document."

Because the attack requires not only physical proximity, but also the targeted PC to have a certain Bluetooth configuration, security experts said that it's unlikely to be exploited en masse. "To exploit the flaw, users would need to have their Bluetooth adapter in discoverable mode and be within range of a determined attacker," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post. Furthermore, Bluetooth, even when activated, is by default not discoverable. As a result, he said that the bug is "a low-risk vulnerability."

Microsoft did note, however, that an attacker could execute an attack against a Bluetooth-enabled device that wasn't in discoverable mode, although it's not very practical.

"If you have paired a Bluetooth peripheral and are actively communicating, it is hard but not impossible to extract the Bluetooth address from the traffic sent over-the-air," according to a Microsoft Security Research & Defense blog post. "A device is available on the market for $10,000 to $30,000 to do this in about five minutes. Research continues to advance in this space and we expect in years to come that this will become quicker for attackers. But for now, it remains difficult but not impossible to extract the Bluetooth address from over-the-air traffic."

Meanwhile, the other bugs patched by Microsoft rated as "important," meaning they can't be used alone for remote code execution. Those vulnerabilities include bugs in the Windows kernel drivers and client/server runtime subsystem, which could give elevated system privileges to an attacker who can already run code on the machine, as well as a DLL hijacking issue in Visio 2003 SP3. According to Qualys's Sarwate, "this current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third-party vendors. Addressing all of the vulnerabilities is a daunting task and will not be completed anytime soon."

For Apple users feeling overlooked by the flurry of Windows patches, on Tuesday, Mozilla also pushed a Mac-only Firefox update (moving the current version from 5.0 to 5.0.1) to fix two reliability problems. "One of these--Firefox crashes when using a downloadable font--manifests itself only on OS X 10.7, which isn't out yet," said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in a blog post. "The other--the Java plug-in stopped working after Apple's last Java update--affects only users of OS X 10.5, which is the previous version of Apple's operating system."

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.