In mid-July, Microsoft reported that it had fixed 22 separate vulnerabilities on Patch Day. One of the most notable security flaws addressed was related to the Windows Bluetooth stack. This critical vulnerability could have allowed hackers to remotely take control of an affected computer, introducing remote code execution risks on Windows Vista and Windows 7.
What’s the vulnerability?
Experts recommend applying the Bluetooth Stack patch first, at least on computers with Bluetooth adapters, since it is ranked as Critical. By sending specially-created Bluetooth packets, attackers are able to exploit this flaw to gain complete control of a computer. The victim would have no knowledge of this attack.
According to Symantec Security Response security intelligence manager Joshua Talbot:
“An attacker would exploit this by sending specific malicious data to the targeted computer while establishing a Bluetooth connection. Because of a memory corruption issue at the heart of this vulnerability, the attacker would then gain access to the computer. All this would happen before any notification alerts the targeted user that another computer has requested a Bluetooth connection.”
This Bluetooth vulnerability could potentially be used to power a computer worm that spreads from one Bluetooth-enabled Windows laptop to another. Furthermore, many windows laptops are configured to make connectivity as convenient as possible for users. Often, Bluetooth will be activated when the computer’s wireless Internet component is active or searching for networks. For many machines, this might be all the time.
Is it possible?
According to experts, exploiting this vulnerability is unlikely, as it may be difficult to build reliable exploits for code execution using this vulnerability. It appears more likely that attackers will find a way to cause a system denial-of-service (i.e. “bugcheck” or “bluescreen”) through this vulnerability.
Another thing to consider is that a Windows Vista/Windows 7 system’s 48-bit Bluetooth address is not “discoverable” by default. Bluetooth devices are not allowed by default to “find” this computer. If systems were discoverable, they would respond to attacker SDP queries with Bluetooth addresses. However, in the default state, attackers are required to obtain Bluetooth addresses through alternative means. These might include brute force attacks, or extracting the address from Bluetooth traffic captured over-the-air.
The latter option is difficult, but not impossible. Attackers can extract Bluetooth addresses from over-the-air traffic in about five minutes with a special device costing anywhere from $10,000 to $30,000.
Alternatively, attackers attempting brute force attacks must be close enough to be within the victim’s line of sight. Even then, attackers might need to spend several hours brute-forcing the victim’s Bluetooth address and attempting to exploit the vulnerability.
The Bluetooth vulnerability was fixed with MS11-053.
According to the bulletin:
A remote code execution vulnerability exists in the Windows Bluetooth 2.1 Stack due to the way an object in memory is accessed whenit has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a series of specially crafted Bluetooth packets and sending them to the target machine. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What to do?
According to experts, the best way to protect a potentially vulnerable system is to apply the MS11-053security update. If you can’t apply the security update, you can close off the attack surface by preventing any Bluetooth device from connecting to your computer. However, take note that your Bluetooth mouse or headset will stop working until you can re-allow Bluetooth devices to connect to your computer.
This article takes a look at Microsoft’s June Security Bulleting, which included a number of fixes for known vulnerabilities, including the critical vulnerability in the Windows Bluetooth Stack, which could potentially allow for remote code execution. The update was created for all supported editions of Windows Vista and Windows 7. The article explores potential attacks and exploitations of the vulnerability and Microsoft’s response with the update MS11-053.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- The consumer perspective (II.A.a.)
- Managing risk (V.A.)
- Technologies with Privacy Impacts (VI.D.ii.)