• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Three Windows Updates: Critical Wireless Bluetooth Attack

July 12, 2011 By Corey Nachreiner

Also, Flaws in CSRSS and Kernel-Mode Drivers

Severity: High

12 July, 2011

Summary:

  • These vulnerabilities affect: All current versions of Windows and components that ship with it
  • How an attacker exploits them: Multiple vectors of attack, including sending specially crafted wireless Bluetooth traffic
  • Impact: An attacker can gain complete control of your Windows computer
  • What to do: Install the appropriate Microsoft patches immediately, or let Windows Automatic Update do it for you.

Exposure:

Today, Microsoft released three security bulletins describing 21 vulnerabilities that affect Windows and components that ship with it. Each vulnerability affects different versions of Windows to varying degrees. However, a remote attacker could wirelessly exploit the worst of these flaws to gain complete control of your Windows PC. The summary below lists the vulnerabilities, in order from highest to lowest severity (according to Microsoft’s summary).

  • MS11-053: Bluetooth Stack Code Execution Vulnerability

Bluetooth is an open wireless technology and standard for transmiting data over short distances.  The Bluetooth stack that ships with more recent versions of Windows suffers from a code execution vulnerability involving how it accesses memory that hasn’t been deleted or initialized. By wirelessly sending a series of specially crafted Bluetooth packets, an attacker could leverage this flaw to gain complete control of your vulnerable computers. However, an attacker would need to remain in Bluetooth range to carry out this attack. The average range of Bluetooth varies from 5 to 100 meters. However, using special gear, Bluetooth “Snipers” have extended the range up to a Kilometer. This flaw only affects Windows Vista and 7. 
Microsoft rating: Critical

  • MS11-054  15 Kernel-Mode Driver Elevation of Privilege Flaws

The kernel is the core component of any computer operating system. Windows also ships with a kernel-mode device driver (win32k.sys) which handles many kernel-level devices. This kernel-mode driver suffers from 15 elevation of privilege (EoP) vulnerabilities. The flaws all differ technically, but generally share the same scope and impact. By running a specially crafted program, a local attacker could leverage these flaws to gain complete control of your Windows computers. However, the attacker would first need to gain local access to your Windows computers using valid credentials. This factor significantly reduces the risk of this flaw.
Microsoft rating: Important

  • MS11-056: CSRSS Local Elevation of Privilege Vulnerability

The Client/Server Run-time SubSystem (CSRSS) is an essential Windows component responsible for console windows and creating and deleting threads. It suffers from five technically different, but functionally similar, Elevation of Privilege (EoP) vulnerabilities. Like the Kernel-Mode Driver flaw above, by running a specially crafted program, an authenticated attacker could leverage these flaws to gain complete, SYSTEM-level  control of your Windows computers. However, like before, the attacker would first need to gain local access to your Windows computers using valid credentials, which somewhat reduces the risk of these flaws.

  • Microsoft rating: Important

Solution Path:

Microsoft has released patches for Windows which correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately. If you choose, you can also let Windows Update automatically download and install these for you.

MS11-053:

  • For Windows Vista w/SP1
  • For Windows Vista w/SP2
  • For Windows Vista x64 w/SP1
  • For Windows Vista x64 w/SP2
  • For Windows 7
  • For Windows 7 x64

* Note: Windows Vista SP1 is only affected if you install the optional Feature Pack for Wireless

MS11-054:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

MS11-056:

  • For Windows XP (w/SP3)
  • For Windows XP x64 (w/SP2)
  • For Windows Server 2003 (w/SP2)
  • For Windows Server 2003 x64 (w/SP2)
  • For Windows Server 2003 Itanium (w/SP2)
  • For Windows Vista (w/SP1 or SP2)
  • For Windows Vista x64 (w/SP1 or SP2)
  • For Windows Server 2008 (w/SP2)
  • For Windows Server 2008 x64 (w/SP2)
  • For Windows Server 2008 Itanium (w/SP2)
  • For Windows 7
  • For Windows 7 x64
  • For Windows Server 2008 R2 x64
  • For Windows Server 2008 R2 Itanium

For All WatchGuard Users:

Attackers exploit these flaws either locally, or via Bluetooth Wireless transmitions. WatchGuard’s wired and 802.11 wireless appliances do not protect these vectors. Therefore, installing Microsoft’s updates is your most secure course of action.

Status:

Microsoft has released patches correcting these issues.

References:

  • Microsoft Security Bulletin MS11-053
  • Microsoft Security Bulletin MS11-054
  • Microsoft Security Bulletin MS11-056

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at [email protected].
More alerts and articles: Log into the LiveSecurity Archive.

Share This:

Related

Filed Under: Security Bytes Tagged With: code execution, elevation of Privilege, Microsoft, Updates and patches

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • US National Cybersecurity Strategy
  • Here Come The Regulations
  • Cybersecurity’s Toll on Mental Health

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use