Microsoft today shipped four security bulletins with patches for 22 serious security flaws and called special attention to a vulnerability in the Windows Bluetooth stack that could allow hackers to remotely take control of an affected computer.
The vulnerability, fixed with MS11-053, headlines a batch of updates that include fixes for gaping holes in the Windows kernel and security problems in the Windows Client/Server Run-time Subsystem.
The Bluetooth stack vulnerability introduces remote code execution risks on Windows Vista and Windows 7, Microsoft warned.
follow Ryan Naraine on twitterFrom the bulletin:
A remote code execution vulnerability exists in the Windows Bluetooth 2.1 Stack due to the way an object in memory is accessed when it has not been correctly initialized or has been deleted. An attacker could exploit the vulnerability by constructing a series of specially crafted Bluetooth packets and sending them to the target machine. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Microsoft’s Jonathan Ness expects to see exploit code that simply causes denial-of-service attacks. However, Microsoft is recommending that users close off the attack surface by preventing any Bluetooth device from connecting to your computer.
The graphic below shows the Windows 7 Bluetooth Settings option for doing so. Side effect: Your Bluetooth mouse or headset will stop working until you re-allow Bluetooth devices to connect to your computer.
Separately, Microsoft is urging Windows users to pay attention to MS11-055, which covers a publicly disclosed vulnerability in the way that Microsoft Visio handles the loading of DLL files. .An attacker who successfully exploited this vulnerability could take complete control of an affected system.
This issue only affects Visio 2003 SP3 and it is rated “important.” Newer versions like Visio 2007 and 2010 are not affected.
According to Amol Sarwate, vulnerability research lab manager at Qualys, this current strain of DLL pre-loading vulnerabilities was first identified in August of 2010 and plagues a large number of software packages, some from Microsoft and many from third party vendors.
“Addressing all of the vulnerabilities is a daunting task and will not be completed any time soon, so we recommend implementing the guidelines laid out in KB2269637 that provide an additional safety-net on the operating systems for all Windows applications,” Sarwate said.
The other two bulletins MS11-054 and MS11-056 affect Windows Kernel-Mode Drivers (win32k.sys) and Windows Client/Server Runtime Subsystem (CSRSS) respectively. Both are rated as “important” and attackers who already have access to the target machine can use these vulnerabilities to get system level privileges.