'Bluetooth sniper' Windows vuln fix in light Patch Tuesday

Unpatched machines can be crashed wirelessly

Got Tips? 2 Reg comments

Microsoft's latest patch Tuesday landed last night with four bulletins, the most significant of which fixes a Bluetooth-related vulnerability in Windows 7 and Windows Vista.

The patch (MS11-053) fixes a vulnerability in the Bluetooth stack within Windows that creates a possible, albeit difficult to exploit, code injection risk. An attacker would normally need to be both near and in possession of a Bluetooth address - not revealed via the vulnerability itself - to cause any mischief. It's more likely that the bug might be abused to crash Windows boxes that have Bluetooth enabled, a far easier trick to pull off.

Marcus J Carey, security researcher and community manager at vulnerability management outfit Rapid7, said this type of wireless vulnerability could become more common in future.

"We can expect more Bluetooth related bugs popping up due to projects like Project Ubertooth, which is enabling security researchers to experiment with Bluetooth hardware and communication," Carey explained. "While critical, this vulnerability could be difficult to exploit as generally speaking attackers would need to be in the immediate vicinity of the Bluetooth device to compromise it; however, there are devices known as 'Bluetooth Sniper Rifles' that enable attacks from greater distances."

Two of the other three bulletins in July's patch batch also cover flaws in Windows. The bugs in Windows Kernel-Mode Drivers (win32k.sys) and Windows Client/Server Runtime Subsystem (CSRSS) addressed by the two updates are both rated at "important". The final notice covers a security bug in Visio 2003 SP3, also classified as "important".

An overview of the updates can be found in a blog post by the Internet Storm Centre here. Microsoft's advisory is here.

July's Patch Tuesday of four bulletins is a just a quarter the size of the massive batch Redmond's security gnomes hatched in June, continuing an alternating pattern of light and heavy update loads that been a feature of Patch Tuesday over recent months. ®

Sponsored: How to simplify data protection on Amazon Web Services

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER


Keep Reading

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

Rust in peace: Memory bugs in C and C++ code cause security issues so Microsoft is considering alternatives once again

Redmond engineer hints at taking super-lang for a spin
Image composite: Microsoft and StudioLondon http://www.shutterstock.com/gallery-893620p1.html

Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

Patch Tuesday Nothing too scary. Plus updates from SAP, Adobe, VMware
Windows 10 by Anton Watman, image via Shutterstock

Stuck at home? Need something to keep busy with? Microsoft has 115 ideas – including an awful SMBv3 security hole to worry about

Updated Hefty Patch Tuesday covers critical Word, Dynamics bugs, and more
patch

OpenBSD bugs, Microsoft's bad update, a new Nork hacking crew, and more

Meanwhile, the DOJ sets its sights on money mules
celebrating in front of flaming birthday cake

Four new bugs? You shouldn't have: Microsoft celebrates 45 years with dollop of borkage on Windows Insider Fast Ring

Roundup Also: Skype goes attention-seeking and Edge shares its scrolling smarts with Chromium
Man browses his tablet and ignores the beach. Photo by shutterstock

It is with a heavy heart that we must report that your software has bugs and needs patching: Microsoft, Adobe, SAP, Intel emit security fixes

Patch Tuesday And Google drops a zero-day on Windows after deadline miss
Software bug

We're almost into the third decade of the 21st century and we're still grading security bugs out of 10 like kids. Why?

Disclosure Infosec veteran Marc Rogers on why we need a better system to rate vulnerabilities

Biting the hand that feeds IT © 1998–2020