Windows users: Patch now or turn off Bluetooth

Microsoft's June Patch Tuesday release included a critical fix affecting all Windows Vista and XP systems, which could allow attackers to wirelessly steal confidential information from laptops by exploiting a flaw in the Bluetooth stack. The Bluetooth stack flaw, detailed in Microsoft bulletin CVE-2008-1453 and rated 'critical', could allow an attacker to take complete control of an affected system, install programs, alter data or create new accounts with full user rights.

The MS08-030 patch modifies the way that the Bluetooth stack handles a large number of service description requests. Microsoft recommends applying the patch immediately and security experts advise users to turn off Bluetooth features until the patch has been applied. Matthew Aburn, director of security consultancy Halcyon, said the flaw was particularly dangerous because hardware manufacturers usually set the factory default for Bluetooth as 'active'.

Link: Microsoft KB Article MS08-030
View: Full Article @ ZDNet

Report a problem with article
Previous Story

Western Digital Launches Terabyte 'Black' Drive

Next Story

Microsoft testing prototype of Facebook-like social network

11 Comments

So you've got to:

a) Have a computer with BlueTooth Capabilities or a BlueTooth dongle
b) Be within 10m of someone with a computer ALSO with BlueTooth or a dongle
c) Be within 10m of someone with a computer that has BlueTooth or a dongle that has the knowledge and ability and software to access your computer by manipulating the BT stack.

The chances? Slim to none. This is a little sensationalist for something that won't happen to 99.999999% of anybody.

Retracted due to overwhelming disagreement

a) most new laptops have bluetooth built in
b) some laptops (including mine) turn both wireless and bluetooth on together so when you're out in public if you use a wireless network you also have bluetooth on
c) ok, i'll admit the chances are slim but it could happen

(El Sid said @ #3)
...
c) Be within 10m of someone with a computer that has BlueTooth or a dongle that has the knowledge and ability and software to access your computer by manipulating the BT stack.

The chances? Slim to none. This is a little sensationalist for something that won't happen to 99.999999% of anybody.

Or, alternatively, a malicious user set this up on his laptop and parks his butt in the middle of Starbucks or other such popular hotspot where literally hundreds of people are online every day.

Yeah, he's gonna be in black-hat heaven. This is good advice and awareness for users, don't make it sound like it could never happen.

@El Sid
I think this is directed a businesses, and laptop users. It says in the article that laptop users need to be aware. Since most people take there laptops to coffee shops & other wifi hotspots, it would be quite possible for this to be a security issue.

You hit the nail on the head with this one. This is surely targeting business users that are not technically savvy, and looking for easy pickin's. Although concerning, it does raise this attention to those who work to protect private business interests, but over sensationalized.

*tries to think of something*

Ah, okay, so sticking with the Starbucks explanation others have used, some people might take advantage of the wifi to check their email, etc, and then turn bluetooth on to sync their smartphones.

...which is still a very, very small window of time for the attacker to make his move if you turn off bluetooth once it's done, but meh. Maybe you forget and leave it on while you waste time downloading last night's Colbert Report?

Does this apply to BlueSoleil's implementation or purely the Microsoft one? I ditches the MS one yonks ago for the superior BlueSoleil...

Commenting is disabled on this article.