Although Microsoft's July Patch Tuesday monthly security update is relatively light, with only four updates as...
expected, the only critical bulletin MS11-053 should be taken seriously, according to security experts.
The vulnerability patched by the update allows remote command execution on Windows 7 and Windows Vista, and affects both consumer and corporate users, said Marcus Carey, security researcher at vulnerability management firm Rapid7.
According to Microsoft, the update resolves a privately reported vulnerability in the Windows Bluetooth Stack.
The vulnerability could allow remote code execution if an attacker sent a series of specially crafted Bluetooth packets to an affected system. An attacker could then install programs and view, change or delete data, or create new accounts with full user rights.
"Wireless vulnerabilities such as MS11-053 are always quite sexy because if successfully exploited they allow attackers to do anything they want to the machine through Bluetooth wireless devices," said Carey.
But to exploit this vulnerability, he said, an attacker may need specialised equipment to transmit the specially crafted Bluetooth traffic.
"This should concern users who have internal Bluetooth devices or people who use after-market Bluetooth headphones, mouses, keyboards or printers through USB," warned Carey.
The problem with Bluetooth, he said, is that often people have their Bluetooth devices activated and are totally unaware that they are transmitting.
For companies that require remote workers to connect via virtual private network (VPN) or directly to their office for updates, it is essential that all Bluetooth users are made aware of the risks and limit their Bluetooth usage until they can be patched, said Carey.
He believes there will be more Bluetooth-related bugs due to projects such as Project Ubertooth, which is enabling security researchers to experiment with Bluetooth hardware and communication.
"While critical, this vulnerability could be difficult to exploit as, generally speaking, attackers would need to be in the immediate vicinity of the Bluetooth device to compromise it; however, there are devices known as "Bluetooth Sniper Rifles" that enable attacks from greater distances," said Carey.
The remaining three bulletins that were rated "important" are aimed at vulnerabilities in Windows kernel-mode drivers, Windows client/server run-time subsystem and Microsoft Visio.