Microsoft reissues MS08-030

Jun 20, 2008 07:04 GMT  ·  By

Windows XP Service Pack 3 and Service Pack 2 were left wide open to attacks via a vulnerability in the operating system's Bluetooth stack, even though Microsoft released a Critical patch addressing the issue on June 10, 2008. MS08-030 was designed to patch a critical security flaw in the Bluetooth stack affecting 32-bit XP SP2 and XP3, 64-bit XP SP2 and x86 and x64 Windows Vista RTM and SP1. On June 19, loyal to the concept when at first don't succeed, try, try again, the Redmond company reissued MS08-030, but only for XP SP2 and SP3.

Christopher Budd, security program manager in the Microsoft Security Response Center (MSRC), explained that the new security bulletin does not impact the entire range of Windows platforms that were covered in the initial release. "If you're running Windows XP SP2 or SP3, you should go ahead and test and deploy these new security updates. If you've deployed security updates for MS08-030 for other versions of Windows, you don't need to take any action for those systems," Budd stated.

However, Budd stressed that users of XP SP2 and XP SP3 should patch their systems with the new version of MS08-030. This because the old update did nothing to resolve the Critical Bluetooth problem for XP with either of the latest two service packs.

"Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not. Our engineering teams immediately set to work to address the issue and release new versions of the security updates for Windows XP SP2 and SP3. These are available now and are being delivered through the same detection and deployment tools as the original update," Budd added.

The Bluetooth vulnerability could allow an attacker to perform remote code execution on a compromised system in the eventuality of a successful exploit. Still, there are several factors which contribute to making this vulnerability less severe than the actual rating given, the company explained.

First off, the security flaw was privately reported to Microsoft. Additionally, although it is exploitable remotely, the attacker would still have to be in the proximity of the target, because the issue requires a Bluetooth link. And on top of this, the actual exploit is extremely complex, involving flooding the target machine with SDP messages designed to open a small window which has to be used in order to take control of the memory layout on the victim's machine. But even so, Microsoft labeled the vulnerability with its maximum severity rating and offered MS08-030 again, blaming human error.

"Our focus has been on delivering new versions of these updates to protect customers as quickly as possible. Now that that's done, as part of our standard process, we're beginning an investigation into how this happened. We're just starting this investigation, but early on, it appears that there may have been two separate human issues involved. When we're done with our investigation, we'll take steps to better prevent it in the future," Budd concluded.

Windows XP SP3 is available for download here.