Microsoft Squashes Bluetooth Bug

  /     /     /  
Publicated : 22/11/2024   Category : security


Microsoft Squashes Bluetooth Bug


Patch Tuesday sees 22 Microsoft vulnerabilities fixed, while Mozilla pushes a Mac-only Firefox update.



Office 365 Vs. Google Apps: Top 10 Enterprise Concerns (click image for larger view and forslideshow)
On Tuesday, Microsoft released four security bulletins with patches for 22 vulnerabilities, including bugs in Microsoft Visio, Windows Client/Server, and the Windows kernel.
Only one of the 22 vulnerabilities, however, was rated as critical. It involves a bug in the Bluetooth stack that an attacker could exploit by sending specially crafted packets to a PC within Bluetooth range--typically, about 30 feet--to take full control of the machine. The vulnerability is present only in Windows 7 and Vista.
We encourage all customers to apply this bulletin first, before deploying the rest of our July updates, as soon as possible, according to a Microsoft Security Response Center
blog post
. It notes that Windows users with Automatic Update enabled will get the fix automatically.
Whos most at risk from the Bluetooth vulnerability? Road warriors who have a Bluetooth device such as [a] mouse or headset connected, and who use their laptops at airports, coffee shops, book stores, or other public places where attackers can get within range without causing suspicion, said Amol Sarwate, vulnerability labs manager for Qualys, in a
blog post
. As a workaround, users can temporarily disable Bluetooth. The vulnerability cannot be exploited over the wire, for example by visiting a malicious website or opening a Word document.
Because the attack requires not only physical proximity, but also the targeted PC to have a certain Bluetooth configuration, security experts said that its unlikely to be exploited en masse. To exploit the flaw, users would need to have their Bluetooth adapter in discoverable mode and be within range of a determined attacker, said Chester Wisniewski, a senior security advisor at Sophos Canada, in a
blog post
. Furthermore, Bluetooth, even when activated, is by default not discoverable. As a result, he said that the bug is a low-risk vulnerability.
Microsoft did note, however, that an attacker could execute an attack against a Bluetooth-enabled device that wasnt in discoverable mode, although its not very practical.
If you have paired a Bluetooth peripheral and are actively communicating, it is hard but not impossible to extract the Bluetooth address from the traffic sent over-the-air, according to a Microsoft Security Research & Defense
blog post
. A device is available on the market for $10,000 to $30,000 to do this in about five minutes. Research continues to advance in this space and we expect in years to come that this will become quicker for attackers. But for now, it remains difficult but not impossible to extract the Bluetooth address from over-the-air traffic.
Meanwhile, the other bugs patched by Microsoft rated as important, meaning they cant be used alone for remote code execution. Those vulnerabilities include bugs in the Windows kernel drivers and client/server runtime subsystem, which could give elevated system privileges to an attacker who can already run code on the machine, as well as a
DLL hijacking issue
in Visio 2003 SP3. According to Qualyss Sarwate, this current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third-party vendors. Addressing all of the vulnerabilities is a daunting task and will not be completed anytime soon.
For Apple users feeling overlooked by the flurry of Windows patches, on Tuesday, Mozilla also pushed a Mac-only Firefox update (moving the current version from 5.0 to 5.0.1) to fix two reliability problems. One of these--Firefox crashes when using a downloadable font--manifests itself only on OS X 10.7, which isnt out yet, said Paul Ducklin, head of technology for Sophos in the Asia Pacific region, said in a
blog post
. The other--the Java plug-in stopped working after Apples last Java update--affects only users of OS X 10.5, which is the previous version of Apples operating system.
Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas.
Find out more and register
.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Squashes Bluetooth Bug