Microsoft fixed 22 bugs with July's Patch Tuesday update release, which closed security holes in Windows, including a critical flaw in the Bluetooth stack.
Microsoft addressed 22
security vulnerabilities across four security bulletins in July's Patch Tuesday
update. Three of the patches fix issues in the Windows operating system.
The four bulletins patched
issues in all versions of the Windows operating system and in Microsoft Visio
2003 Service Pack 3, Microsoft said in its Patch
Tuesday advisory, released July 12. Of the patches, only one has been rated
"critical." The remaining three are rated "important," according to
"Today's Patch Tuesday,
though light, should not be ignored, as these patches address vulnerabilities
that allow attackers to remotely execute arbitrary code on systems and use
privilege escalation exploits," said Dave Marcus, director of security research
and communications at McAfee Labs.
Security experts ranked
Microsoft bulletin MS11-053, which addressed a critical vulnerability in the
Windows Bluetooth stack on Windows Vista and Windows 7, as the highest
priority. Attackers could exploit the vulnerability by crafting and sending
specially crafted Bluetooth packets to the target system to remotely take
control, Microsoft said in its bulletin advisory.
The issue emerges in the way
an object in memory is accessed when it has not been correctly initialized or
if it has been deleted, Microsoft warned. Attackers can use this flaw to gain
the ability to crash the system, install programs, access data and create new
user accounts, according to Microsoft.
While someone could use the
Bluetooth stack vulnerability to launch a targeted attack, it's unlikely to be
used as part of a widespread attack because the attacker would have to be
within Bluetooth range of the target, according to Joshua Talbot, security
intelligence manager at Symantec Security Response.
The vulnerability is most
urgent for road warriors who have Bluetooth devices, such as a headset or mouse,
and use laptops in public spaces, such as airports and coffee shops, where
attackers can get within range without raising suspicion, said Amol Sarwate,
vulnerability labs manager for Qualys.
Attackers could send
malicious packets to the targeted computer while trying to establish a
connection and gain remote access before the user even sees the notification
alert that another computer would like to connect, Talbot said. The Bluetooth
bug is a kernel-level issue and gives attackers "complete system
access." So once attackers gain initial access, they can potentially use
other remote-communication methods, such as the Internet, to maintain access,
according to Talbot.
Microsoft recommended that
users can stop attacks by preventing
Bluetooth devices from connecting to the computer. By default, windows
systems are not in "discoverable mode," which makes the likelihood of
an attack minimal. Even so, "the threat of Bluetooth exploits is enough to
make it advisable to patch this one quickly," said Andrew Storms, director
of security operations at nCircle.
Microsoft also issued a nonsecurity
patch to complement the Bluetooth bulletin to fix the issue where security
updates occasionally fail to install Windows drivers on Windows 7 using Windows
Update. The "child patch" could result in "some longer patch-deployment
times and possibly multiple reboots of client systems," which could seem
painful for administrators, said Jason Miller, manager of the research and
development team at VMware. However, "it is nice to see Microsoft addressing
a potentially longer-term issue with driver patching by fixing the issue,"
The second priority patch
addresses an "important" DLL-preloading issue in Visio 2003 Service
Pack 3. This type of vulnerability was publicly disclosed in August 2010. Microsoft
has addressed the preloading issue in several of its products in the past, and
it's likely there will be more security bulletins fixing the security hole in
other products in the future, said Miller.
Administrators should patch
this issue quickly if they use Visio in the enterprise because spear-phishing
attacks are highly prevalent, and users are vulnerable to them, said Paul
Henry, security and forensic analyst at Lumension. Otherwise, users are at risk
for remote code execution attacks on the unpatched machines.
Microsoft fixed 15
vulnerabilities in Windows kernel-mode drives, but the attacker has to already
have access to the target system before these bugs can be exploited. The
remaining five bugs were in the Windows Client/Server Run-Time Subsystem on all
supported Windows operating systems. The attacker also must already have access
to the system before exploiting these holes.
The 22 vulnerabilities
addressed in this month's update would "normally be big news for
enterprise security teams" but "because of everything else going on
in security over the last few months, Microsoft just isn't the most pressing
security issue for many enterprises," Storms said.