Microsoft patches critical Windows Bluetooth bug

Microsoft has issued a fix for a serious flaw in Windows Vista and Windows 7 that, if left unpatched, could allow attackers to target systems even when they are disconnected from a network.

The kernel-level flaw, rated as 'criticial', revolves around techniques implemented in newer editions of Windows to make connecting devices over Bluetooth easier and more convenient.

The Windows Bluetooth Stack searches for compatible devices whenever a wired or wireless network is unavailable, in case the user wishes to connect to a mobile phone for wireless tethering. While this behaviour can be changed, it's the default for many laptops with integrated Bluetooth.

While in this searching state, it's possible for a malicious attacker to inject content that causes the stack to crash and execute arbitrary code at a system level. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," Microsoft's security advisory on the matter warns.

The flaw stems from poor access checking in the stack, which will happily access uninitialised or deleted portions of memory for data which it has been told exists. By crafting malicious packets designed to dump data into critical areas of system memory, it would be possible create a worm that spreads from system to system, even without the aid of a network.

Thankfully, the nature of Bluetooth offers some mitigation: like real-world viruses, malware created to take advantage of the Bluetooth stack flaw would be limited by proximity. Bluetooth, depending on its implementation, has a range between 10 metres and 100 metres, beyond which the signal is too weak to be picked up. As a result, any malware using the flaw as an attack vector would have to come from a local system.

Despite this, it's still a serious flaw. While it doesn't lend itself to large-scale attack, it's perfect for more targeted assaults: an attacker sat outside a business with a high-gain antenna is likely to find multiple Bluetooth-enabled laptops.

The patch, released yesterday, will be rolled out automatically to Windows 7 and Windows Vista users. Those still on Windows XP can rest easy, as the lack of a Bluetooth stack in that operating system makes it inherently safe from this flaw.

More information is available in Microsoft's security bulletin.