It was a Tuesday made for patching 22 vulnerabilities in Microsoft Windows and Office, including a bug in the Bluetooth technology within Vista and Windows 7 that could hijack a nearby PC.
Of Tuesday’s four updates, called “bulletins” by Microsoft, only one was labeled “critical,” the most-serious rating in the company’s four-step scoring system, while the other three were “important,” the next-most-dangerous category.
The 22 individual bugs patched were more than in most odd-numbered months, which are typically light months for Microsoft. If you are keeping score, July’s bugs came in behind April’s 64 and June’s 34, and tied with February.
The standout bulletin was clearly the sole critical update, MS11-053, researchers said.
The Vista and Windows update that plugs a hole in the operating systems’ Bluetooth stack.
An attacker could exploit the vulnerability against someone using a Bluetooth mouse or headset, so it remains important that people apply the patch, or if they can’t do that, disable Bluetooth [on Vista and Windows 7].
The vulnerability does not affect Windows XP. Although the 10-year-old operating system supports Bluetooth, Microsoft rewrote its supporting code for Vista.
Microsoft also had MS11-053 at the top of its patch chart, but cited several caveats to explain why it believes attackers will not be able to come up with a reliable exploit in the next month.
“Your system’s 48-bit Bluetooth address is not ‘discoverable’ by default,” said Jonathan Ness, an engineer with the Microsoft Security Response Center, in a blog post. “In the default state, an attacker must obtain your Bluetooth address another way — either via brute forcing it or extracting it from Bluetooth traffic captured over-the-air.”
The former could take an attacker hours, Ness added, while the latter requires specialized hardware that costs thousands.
Even so, experts pointed out that the Bluetooth vulnerability might be worthwhile to some attackers.
A user can download and install July’s security patches via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.