Microsoft released four security bulletins for Patch Tuesday today, including one that fixes a critical hole related to Bluetooth in Windows 7 and Vista and three less serious patches that plug 21 holes affecting all supported versions of Windows and Visio 2003.
The highest priority is MS11-053, which fixes a vulnerability that could allow an attacker to take control of a computer by sending malicious Bluetooth wireless packets.
Jerry Bryant, group manager for security response at Microsoft, downplayed the possibility of exploitation in the wild, saying there are mitigating factors, including the fact that Bluetooth on a target device would have to be discoverable, which is not the default mode.
"So an attacker would have to be in line-of-sight of you and would have to brute force their way into discovering your (network) address, and that would be assuming you are actively advertising it for them," he said in an interview. "There are tools out there to help an attacker do that, but they are expensive and take a long time to run. It's a serious issue but I don't think it will be something we see active exploits on in the near future."
Marcus Carey, security researcher at Rapid7 noted that many people regularly rely on Bluetooth-enabled devices, or have Bluetooth set to "on" and don't realize it. "This should concern users who have internal Bluetooth devices or people that use after-market Bluetooth headphones, mouses, keyboards, and printers through USB," he said. "The problem with Bluetooth is that often people have their Bluetooth devices activated and are totally unaware that they are transmitting."
Meanwhile, there were three other bulletins released, all rated "important." One resolves 15 vulnerabilities in Windows Kernel-Mode Drivers. Another fixes five bugs in Microsoft Windows Client/Server Run-time Subsystem. And the third resolves a vulnerability in Microsoft Visio. More details on the releases is here.
Microsoft also released today a white paper, "Mitigating Software Vulnerabilities," that has specific information IT professionals can use to enable attack-blocking technologies such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).