MS11-053: Vulnerability in the Bluetooth stack could allow remote code execution

The single Critical vulnerability in today’s batch of security updates addresses an issue in the Bluetooth stack. Your workstations’ risk to this vulnerability varies, depending on a number of factors. I’d like to use this blog post to outline those risk factors.

How can I protect my system?

The best way to protect any potentially vulnerable system is to apply the MS11-053 security update. If you are not able to apply the security update, you can close off the attack surface by preventing any Bluetooth device from connecting to your computer. The graphic below shows the Windows 7 Bluetooth Settings option for doing so. Side effect: Your Bluetooth mouse or headset will stop working until you re-allow Bluetooth devices to connect to your computer.

Am I vulnerable to remote code execution attacks today?

Short answer: Probably not. And here’s why:

Exploitability: First, we assigned this vulnerability with an Exploitability Index rating of “2”. We believe it will be difficult to build a reliable exploit for code execution using this vulnerability. It’s more likely that attackers will discover a way to cause a system denial-of-service (“bugcheck” / “bluescreen”) using this vulnerability.

Discoverability: Secondly, your system’s 48-bit Bluetooth address is not “discoverable” by default. Notice in the Bluetooth Settings screenshot above that Bluetooth devices are not allowed by default to “find” this computer. If your system were “discoverable,” it would respond to attacker SDP queries with its Bluetooth address. But in the default state, an attacker must obtain your Bluetooth address another way – either via bruteforcing it or extracting it from Bluetooth traffic captured over-the-air.

Extracting Bluetooth address by sniffing traffic: If you have paired a Bluetooth peripheral and are actively communicating, it is hard but not impossible to extract the Bluetooth address from the traffic sent over-the-air. A device is available on the market for $10,000 – $30,000 to do this in about 5 minutes. Research continues to advance in this space and we expect in years to come that this will become quicker for attackers. But for now, it remains difficult but not impossible to extract the Bluetooth address from over-the-air traffic.

Proximity: Finally, while this vulnerability is exposed remotely, it is not reachable over the Internet. An attacker must be physically nearby to target you. Again, recent research has widened the definition of “nearby” for Bluetooth but suffice to say that an attacker would need to be within line-of-sight. This nearby attacker then could spend several hours brute-forcing your Bluetooth address and attempting to exploit the vulnerability.

This combination of factors leads us to believe that systems are unlikely to be exposed to reliable remote code execution exploits via this vulnerability in the next 30 days.

Thanks to Krupa Poobala-chandran from the Windows Sustained Engineering team for the help yesterday afternoon pulling this blog post together.

– Jonathan Ness, MSRC Engineering