Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.
Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.
But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user. The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.
Joshua Talbot, security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.
“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”
Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.
Microsoft advisory states: “Windows Vista and Windows 7 support a wide range of Bluetooth radio devices, and will install the Bluetooth driver when a removable Bluetooth device is added to the system. As a result, all supported versions of Windows Vista and Windows 7 are affected.”
But Talbot added that many Windows laptops are configured to make connectivity as easy as possible for users, and will turn on Bluetooth when the computer’s wireless Internet component is active or searching for networks (which, for many machines, is all the time).
Microsoft fixed 21 other security vulnerabilities this Patch Tuesday; all of them were less severe, so-called “privilege escalation” flaws that are of little use unless the attacker already has a foothold on the target’s system.
Updates are available from Windows Update, or via Automatic Updates. As always, if you experience any problems before, during or after applying these updates, please drop a note in the comments section about your experience.