Microsoft addressed 22 security vulnerabilities across four security bulletins in July’s Patch Tuesday update. Three of the patches fix issues in the Windows operating system.
The four bulletins patched issues in all versions of the Windows operating system and in Microsoft Visio 2003 Service Pack 3, Microsoft said in its Patch Tuesday advisory, released July 12. Of the patches, only one has been rated “critical.” The remaining three are rated “important,” according to Microsoft.
“Today’s Patch Tuesday, though light, should not be ignored, as these patches address vulnerabilities that allow attackers to remotely execute arbitrary code on systems and use privilege escalation exploits,” said Dave Marcus, director of security research and communications at McAfee Labs.
Security experts ranked Microsoft bulletin MS11-053, which addressed a critical vulnerability in the Windows Bluetooth stack on Windows Vista and Windows 7, as the highest priority. Attackers could exploit the vulnerability by crafting and sending specially crafted Bluetooth packets to the target system to remotely take control, Microsoft said in its bulletin advisory.
The issue emerges in the way an object in memory is accessed when it has not been correctly initialized or if it has been deleted, Microsoft warned. Attackers can use this flaw to gain the ability to crash the system, install programs, access data and create new user accounts, according to Microsoft.
While someone could use the Bluetooth stack vulnerability to launch a targeted attack, it’s unlikely to be used as part of a widespread attack because the attacker would have to be within Bluetooth range of the target, according to Joshua Talbot, security intelligence manager at Symantec Security Response.
The vulnerability is most urgent for road warriors who have Bluetooth devices, such as a headset or mouse, and use laptops in public spaces, such as airports and coffee shops, where attackers can get within range without raising suspicion, said Amol Sarwate, vulnerability labs manager for Qualys.
Attackers could send malicious packets to the targeted computer while trying to establish a connection and gain remote access before the user even sees the notification alert that another computer would like to connect, Talbot said. The Bluetooth bug is a kernel-level issue and gives attackers “complete system access.” So once attackers gain initial access, they can potentially use other remote-communication methods, such as the Internet, to maintain access, according to Talbot.
Microsoft recommended that users can stop attacks by preventing Bluetooth devices from connecting to the computer. By default, windows systems are not in “discoverable mode,” which makes the likelihood of an attack minimal. Even so, “the threat of Bluetooth exploits is enough to make it advisable to patch this one quickly,” said Andrew Storms, director of security operations at nCircle.
Microsoft also issued a nonsecurity patch to complement the Bluetooth bulletin to fix the issue where security updates occasionally fail to install Windows drivers on Windows 7 using Windows Update. The “child patch” could result in “some longer patch-deployment times and possibly multiple reboots of client systems,” which could seem painful for administrators, said Jason Miller, manager of the research and development team at VMware. However, “it is nice to see Microsoft addressing a potentially longer-term issue with driver patching by fixing the issue,” Miller said.
The second priority patch addresses an “important” DLL-preloading issue in Visio 2003 Service Pack 3. This type of vulnerability was publicly disclosed in August 2010. Microsoft has addressed the preloading issue in several of its products in the past, and it’s likely there will be more security bulletins fixing the security hole in other products in the future, said Miller.
Administrators should patch this issue quickly if they use Visio in the enterprise because spear-phishing attacks are highly prevalent, and users are vulnerable to them, said Paul Henry, security and forensic analyst at Lumension. Otherwise, users are at risk for remote code execution attacks on the unpatched machines.
Microsoft fixed 15 vulnerabilities in Windows kernel-mode drives, but the attacker has to already have access to the target system before these bugs can be exploited. The remaining five bugs were in the Windows Client/Server Run-Time Subsystem on all supported Windows operating systems. The attacker also must already have access to the system before exploiting these holes.
The 22 vulnerabilities addressed in this month’s update would “normally be big news for enterprise security teams” but “because of everything else going on in security over the last few months, Microsoft just isn’t the most pressing security issue for many enterprises,” Storms said.