Microsoft patches 10 bugs in Windows, IE and Bluetooth

Computerworld - Microsoft Corp. today patched 10 vulnerabilities, four marked "critical," in Windows and Internet Explorer and disabled a little-known third-party ActiveX control bundled with Logitech hardware, including keyboards and mice.

The 10 fixes are delivered in seven separate security updates, three of which were considered critical, the highest threat ranking in Microsoft's four-step scoring system.

The one that caught the eyes of most analysts was MS09-030, a critical update that patches a single bug in Windows' implementation of Bluetooth. "This is the most interesting of the bunch," said Tyler Reguly, a security research engineer at nCircle Network Security Inc. "We haven't seen Microsoft patching Bluetooth before for one thing."

Eric Schultze, chief technology officer at Shavlik Technologies LLC, echoed Reguly, saying that he couldn't remember Microsoft ever addressing Bluetooth, either. "This sounds like it's pretty bad," said Schultze, "but the bulletin is unclear and doesn't tell you whether Bluetooth is enabled by default on Windows XP." If it's not, he added, the danger would be reduced.

An attacker could exploit the flaw by flooding the receiving system -- a laptop in a public place, for example -- with a large number of malformed SDPs (Service Discovery Protocols). No user interaction is required, meaning that an attack could be mounted without the user knowing.

A Symantec Corp. researcher also tagged the Bluetooth bug as the most notable of the month. "The vulnerability is especially noteworthy because it allows an attacker in range of a Bluetooth-enabled device running Windows XP or Vista to take control of that device," said Ben Greenbaum, a Symantec senior research manager, in an e-mail Tuesday.

The other two critical updates are run-of-the-mill client-side bugs, said Reguly, the kind Windows users by now expect to see each month. "The DirectX and Internet Explorer, are standard client-side stuff," Reguly said. "Both would use the Web as an attack vector, and well, IE -- we almost always see patches for IE."

Schultze agreed. "Standard IE," he said. "It's not even fun to talk about these any more."

MS08-031 patches a pair of vulnerabilities in IE, one of which Microsoft pegged as critical, while the other it judged as "important," its second-highest rating. The bugs affect all currently-supported versions of the browser, including IE7 on the newest updates to both Windows XP and Windows Vista, Service Pack 3 and SP1, respectively.