Microsoft Patches Critical Vulnerability in Bluetooth Stack

Microsoft has released its July batch of security patches which address vulnerabilities in Windows and Office, including a one that allows for remote code execution.

Identified as CVE-2011-1265, the vulnerability is covered in MS11-053, the only Microsoft security bulletin rated critical this month.

It is located in the Windows Bluetooth stack and affects all supported versions of Windows Vista and 7. Obviously, the vulnerability can only be exploited on computers that contain Bluetooth controllers.

"The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft writes in its advisory.

Despite this security issue being rated as critical, Microsoft security researchers believe that it would be hard to build a reliable exploit for it. They note that denial of service attacks are more likely than the execution of arbitrary code.

Furthermore, finding the Bluetooth address required for a successful attack is not straight forward because Windows 7 computers are not configured to be "discoverable" by default.

But even if an attacker would find out the address, they wouldn't be able to exploit the vulnerability over the Internet. A successful attack requires the victim to be in the line of sight.

"This combination of factors leads us to believe that systems are unlikely to be exposed to reliable remote code execution exploits via this vulnerability in the next 30 days," Jonathan Ness from the MSRC Engineering team says.

In addition to this security bulletin, Microsoft released three more, all of them rated important. They address fifteen privilege escalation flaws in the Windows kernel-mode drivers, five EoP vulnerabilities in the Windows Client/Server Run-time Subsystem (CSRSS) and a publicly disclosed remote code execution hole in Microsoft Visio.

Users and system administrators are advised to deploy the patches as soon as possible, however, those who can't should at least disable the ability of Bluetooth devices from connecting to their computers. This can be done from the Bluetooth Settings panel by unchecking "Allow Bluetooth devices to connect to this computer."