Microsoft released four bulletins last night to address 22 vulnerabilities in Windows and Office.
As announced by SC Magazine last week, one of the patches is rated as critical, while the other three are rated as important. Microsoft and commentators were unanimous on patch MS11-053 being the highest priority for deployment, as it resolves one privately reported vulnerability in the Windows Bluetooth Stack.
This bulletin is rated critical for Windows Vista and Windows 7 platforms, while all prior versions of Windows are unaffected.
Amol Sarwate, vulnerability labs manager at Qualys, said: “We rank as the highest priority Microsoft bulletin MS11-053 which fixes a vulnerability in the Bluetooth driver. This vulnerability is rated as ‘critical' and affects machines that are Bluetooth enabled. An attacker who is in close physical proximity can send specially crafted packets using Bluetooth, which will cause the target's machine to crash and possibly take control of the system.
“Addressing this vulnerability is most urgent for road warriors who have a Bluetooth device such as mouse or headset connected and who use their laptops at airports, coffee shops, book stores or other public places where attackers can get within range without causing suspicion.
“As a workaround, users can temporarily disable Bluetooth. The vulnerability cannot be exploited over the wire, for example by visiting a malicious website or opening a word document.”
Andrew Storms, director of security operations at nCircle, said: “For years people have discussed the theory of proximity-based worms using Bluetooth as the attack vector and today that theory has become reality. This seems pretty scary at first glance, but it's a good idea to consider the details of the vulnerability before getting all worked up about it.
“This bug requires that Bluetooth on a PC be set in ‘discoverable mode' and this is not the default setting. If Bluetooth is not set to ‘discoverable,' the attacker will need to use another approach to attack the PC before they can take advantage of the Bluetooth bug. Even though this bug will be tricky to exploit, the threat of Bluetooth exploits are enough to make it advisable to patch this one quickly.”
Jason Miller, manager of research and development at VMware, said: “Could this vulnerability be the new case of drive-by war dialling? The example of a prime target I keep seeing in my head is the local sandwich shop near my house. Every time I pop in to satisfy my sandwich craving, I see 20-30 people working wirelessly and this just seems like a prime target for new war dialling techniques.
“It is important to note that Microsoft has an exploitability index rating of two on this bulletin. This makes the vulnerability more difficult to exploit. If you have mobile users working outside of your office, you will want to look at patching these machines as soon as possible.”
Marcus J. Carey, security researcher and community manager at Rapid7, said: “Wireless vulnerabilities such as MS11-053 are always quite sexy because if successfully exploited, they allow attackers to do anything they want to the machine through Bluetooth wireless devices.
“To successfully exploit this vulnerability an attacker may need specialised equipment to actually transmit the specially crafted Bluetooth traffic. This should concern users who have internal Bluetooth devices or people that use after-market Bluetooth headphones, mice, keyboards and printers through USB. The problem with Bluetooth is that often people have their Bluetooth devices activated and are totally unaware that they are transmitting.
“We can expect more Bluetooth related bugs popping up due to projects like Project Ubertooth, which is enabling security researchers to experiment with Bluetooth hardware and communication. While critical, this vulnerability could be difficult to exploit as generally speaking attackers would need to be in the immediate vicinity of the Bluetooth device to compromise it; however, there are devices known as ‘Bluetooth Sniper Rifles' that enable attacks from greater distances.”
Paul Henry, security and forensic analyst at Lumension, said: “The MS11-053 patch is critical and warrants immediate attention if your environment is Bluetooth enabled. This should be followed by MS11-055, due to the prevalence of spear phishing in the current threat environment and the ability to provide for remote code execution. Once you've addressed those two, then tackle the balance of this month's patches."
Sarwate said: “The second priority goes to MS11-055 which is a DLL-preloading issue in Visio 2003 SP3 and rated as ‘important'. Newer versions like Visio 2007 and 2010 are not affected. This current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third party vendors.
“Addressing all of the vulnerabilities is a daunting task and will not be completed any time soon, so we recommend implementing the guidelines laid out in KB2269637 that provide an additional safety-net on the operating systems for all Windows applications.”
Carey said: “This is rated ‘important' and will not affect many people outside corporate circles. However, organisations that are using it will need to be patched and in the meantime should be wary of Visio files sent from unknown sources.”
Bulletins MS11-054 and MS11-056 affect Windows Kernel-Mode Drivers (win32k.sys) and Windows Client/Server Runtime Subsystem (CSRSS) respectively. Sarwate noted that both are rated as ‘important' and attackers who already have access to the target's machine can use these vulnerabilities to get system level privileges.
Miller said: “MS11-054 addresses 15 vulnerabilities in the Windows Kernel-Mode Drivers. At first glance, the number of vulnerabilities addressed in this single bulletin seems alarming. All of the vulnerabilities addressed in this bulletin are related. An attacker must first have access to a system before they can exploit the vulnerability.
“MS11-056 addresses five vulnerabilities in the Windows Client/Server Runtime Subsystem on all supported Microsoft operating systems. Like MS11-054, all of the vulnerabilities are related. This bulletin also requires an attacker to first have access to a system before they can exploit the vulnerability.”