July 12, 2011

Microsoft today released updates to fix at least 22 security flaws in its Windows operating systems and other software. The sole critical patch from this month’s batch addresses an unusual Bluetooth vulnerability that could let nearby attackers break into vulnerable systems even when the targeted computer is not connected to a network.

Bluetooth is a wireless communications standard that allows electronic devices — such as laptops, mobile phones and headsets — to communicate over short distances (the average range is between 30 to 100 meters, but that range can be extended with specialized tools). To share data, two Bluetooth-enabled devices normally need to “pair” with one another, a process that involves the exchange of a passkey between the two devices.

But Microsoft today shipped a patch to fix a flaw in its Bluetooth implementation on Windows Vista and Windows 7 computers that it said attackers could use to seize control over a vulnerable system without any action on the part of the user.  The assailant’s computer would need to be within a short distance of the victim’s PC, and the target would merely need to have Bluetooth turned on.

Joshua Talbot
, security intelligence manager for Symantec Security Response, said the vulnerability could be exploited without any alerts being sent to the victim PC.

“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection,” Talbot said. “Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”

Although it is unlikely, such a vulnerability could be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another, Talbot said.

Microsoft advisory states: “Windows Vista and Windows 7 support a wide range of Bluetooth radio devices, and will install the Bluetooth driver when a removable Bluetooth device is added to the system. As a result, all supported versions of Windows Vista and Windows 7 are affected.”

But Talbot added that many Windows laptops are configured to make connectivity as easy as possible for users, and will turn on Bluetooth when the computer’s wireless Internet component is active or searching for networks (which, for many machines, is all the time).

Microsoft fixed 21 other security vulnerabilities this Patch Tuesday; all of them were less severe, so-called “privilege escalation” flaws that are of little use unless the attacker already has a foothold on the target’s system.

Updates are available from Windows Update, or via Automatic Updates. As always, if you experience any problems before, during or after applying these updates, please drop a note in the comments section about your experience.

10 thoughts on “Microsoft Fixes Scary Bluetooth Flaw, 21 Others

  1. xAdmin

    If you don’t need it (Bluetooth), disabled it! My laptops have Bluetooth disabled in the BIOS! 🙂 That and I’m running Windows XP yet (non-affected). Booyaa! 😛

  2. Tom

    All my PC’s have Linux Mint on them, In order to make windows more secure, you need to create a User acount then use that instead of the Admin account, which is what you are using if you have no other accounts associated with your machine, You also should have set up a password during set up then raise the security level all the way up, to the point that is you want to add something to the desk top it will ask for your password, then use firefox and ad Noscripts in the add area. this is the best way to secure your machine..

    1. Natanael L

      Well, that you’re logged in as a user won’t really help much. The kernel is still running with full priviligies, and as long as there’s some code that’s running with full priviligies, then the hacker can get full access if he can reach in there.
      The bluetooth issue are on the driver level, and those usually run with kernel level priviligies…

      This is a lot like the firewire issue that was found some time ago, although this is not security flaw in the design but only in the implementation.

  3. petur

    Stating the range as 30 to 100 meters is simply not true… Most real-life implementations fail beyond 10 meters, I bet you need already some serious tools to get into that 30 to 100 meter range.
    Doesn’t change the seriousness of this hole, though…

    1. wiredog

      Wouldn’t the pringles can trick be all you needed to get longer range?

      1. Natanael L

        Yes, but you need to increase the power on the transmitting antenna OR have two of those cans.

        1. Quartzman

          Actually… you wouldn’t require a pringles can on both sides if the pringles can antennae you have on your side has a good enough dB gain on reception.

          Basic premise for those parabolic bluetooth “snipers”…

          1. Natanael L

            Well, maybe I posted that too quick. I guess I unintentionally assumed your broadcasted signal would be, well, *broad*casted.

  4. Mike

    When I rebooted after the updates installed, my computer said csc.exe could not start, and to press ok to shut down the csc program. I had to click the ok button a dozen or so times, as it kept popping back up. The Dell datasafe program then came up, and wanted to upgrade, but nothing else was on the screen. Then the computer went blank and restarted normally.

    I ran sfc /scannow from an elevated command prompt, but it found no problems extant. I restarted the computer again and it was normal. Perplexing.

  5. Follow the money

    So I set up this super-dooper Bluetooth machine and hide it at the top of the escalators at the subway at the bottom of a garbage bin, siphoning off all the data as the commuters pass by. Those escalators are sure slow moving, and give me a few minutes to do my dastardly deeds. Every night I collect my ‘bin’, recharge the batteries and offload the data.

    Maybe I can do that with all the unpatched Apple iPhones and collect daily movement data. I then contact my burglary team and send them a list of unattended residences to burgle today. After all, I know they pass this way at the same time each day, to and from work, and I know where they live and work.

    No, this is not a movie script!

Comments are closed.