Windows users: Patch now or turn off Bluetooth

Microsoft's June Patch Tuesday release included a critical fix affecting all Windows Vista and XP systems, which could allow attackers to wirelessly steal confidential information from laptops by exploiting a flaw in the Bluetooth stack.

The Bluetooth stack flaw, detailed in Microsoft bulletin CVE-2008-1453 and rated 'critical', could allow an attacker to take complete control of an affected system, install programs, alter data or create new accounts with full user rights.

The MS08-030 patch modifies the way that the Bluetooth stack handles a large number of service description requests.

Microsoft recommends applying the patch immediately and security experts advise users to turn off Bluetooth features until the patch has been applied.

Matthew Aburn, director of security consultancy Halcyon, said the flaw was particularly dangerous because hardware manufacturers usually set the factory default for Bluetooth as 'active'.

"Hardware-wise, most ship with Bluetooth on by default. I'd definitely recommended that if you're not using Bluetooth, you should turn it off," Aburn told ZDNet.com.au.

Rob Pregnall, Symantec's senior manager of Technical Product Management for Endpoint Security in Asia Pacific and Japan, agreed. He said that hardware manufacturers do this in order to make those features easier to access.

"When I look at a freshly bought machine from a reputable manufacturer, the first thing I notice is that every bell and whistle is turned on. I see it across different hardware manufacturers, including Macs," he said.

"All the different communication technologies are generally activated, so I think it's a move by manufacturers to ensure that everything is turned on so that minimal effort is needed to use the capabilities that users were sold on," Pregnall told ZDNet.com.au.

In a blog, Microsoft admits that although in most cases an attacker would need to be in close range to exploit the vulnerability, there are ways to increase that distance.

"The standard range of Bluetooth is in the order of meters, although an attacker could use specialised antennas to increase this," the blog said.

This was back up by Halcyon's Aburn.

"People look at the standard specifications for Bluetooth range of connectivity, which says you need to be so many metres away but using a directional antenna, people can target you from much further away," he said.

This month's Patch Tuesday also includes fixes for a drive by download weakness in Internet Explorer, as well as flaws in affecting Microsoft' multimedia APIs.

The critical vulnerability affecting Internet Explorer described in CVE-2008-1442 and CVE-2008-1544 only affects Windows XP and Vista systems. The MS08-031 cumulative patch fixes a couple of vulnerabilities, including one that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and another which could allow information disclosure if a similarly configured page was viewed using the browser.

The DirectX flaws affects all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-0011 and CVE-2008-1444. Microsoft says the vulnerability "could allow remote code execution if a user opens a specially crafted media file. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

Moderate and important updates
The one moderate bulletin covers a flaw in the speech recognition feature in Windows 2000, XP, and Windows Vista. Of the important bulletins, one concerns Active Directory and another Pragmatic General Multicast (PGM). All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-032: Moderate
Titled "Cumulative Security Update of ActiveX Kill Bits (950760)", this bulletin affects users of Microsoft Windows 2000 Service Pack 4; all supported editions of Windows XP; and all editions of Windows Vista including Windows Vista Service Pack 1. The update addresses the issues in CVE-2007-0675. It fixes a publicly reported vulnerability for the Microsoft Speech API that could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer and has the speech recognition feature in Windows enabled.

MS08-034: Important
Titled "Vulnerability in WINS Could Allow Elevation of Privilege (948745)", this bulletin affects all supported editions of Microsoft Windows 2000 Server and Windows Server 2003. This update addresses the vulnerability detailed in CVE-2008-1451. Microsoft says an attacker could use an elevation of privilege to take complete control of an affected system, and then install programs; view, change, or delete data; or create new accounts.

MS08-035: Important
Titled "Vulnerability in Active Directory Could Allow Denial of Service (953235)", this bulletin is rated Important for all supported editions of Microsoft Windows 2000 Server, and rated Moderate for select editions of Windows XP Professional, Windows Server 2003, and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1445. Microsoft says the vulnerability could be exploited to allow an attacker to cause a denial-of-service condition.

MS08-036: Important
Titled "Vulnerabilities in Pragmatic General Multicast (PGM) Could Allow Denial of Service (950762)", this bulletin is rated Important for all supported editions of Windows XP and Windows Server 2003 and rated Moderate for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-1440 and CVE-2008-1441. Microsoft says "an attacker who successfully exploited this vulnerability could cause a user's system to become non-responsive and to require a restart to restore functionality. Note that the denial-of-service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests."

CNET News.com' Robert Vamosi contributed to this story.