This morning we released a critical update for Windows addressing a vulnerability in the Microsoft Bluetooth stack (MS08-030). The bulletin is rated Critical since it allows an attacker to corrupt memory in the Windows kernel, which theoretically could allow an attacker to execute code in the context of the operating system on the remote computer. While we cannot conclusively disprove that attackers will be able to reliably exploit this issue, we still feel it is worth noting the factors which in our opinion make this issue less severe than the bulletin may imply.
First, since the issue is triggered over a Bluetooth link, the attacker would have to be within fairly close physical proximity to the target system. (The standard range of Bluetooth is in the order of meters, although an attacker could use specialized antennas to increase this). This is in contrast to most other remote flaws affecting TCP/IP and related protocols which can be exploited over large distances (e.g. the Internet).
Second, as the security bulletin states, the issue is triggered by a flood of SDP messages. To exploit the issue, an attacker must attempt to trigger a small timing window on the target host. The chances of this succeeding are dependent on the speed of the target, the rate at which SDP packets can be sent from the attacker and received by the target, and the number of processors on the target system. Based on our investigation, a single-processor machine is unlikely to be affected by this issue.
Finally, the attacker needs to find a way to control the memory layout of the target system, and place data they control in the correct location, all within the timing window mentioned above. This is different from other bugs that easily allow an attacker to control the memory layout (think of heap-spraying).
The information above is presented to help customers understand that the “sky is not falling” in terms of immediate risk due to this vulnerability. That said, we still recommend customers patch any affected systems, especially those that have Bluetooth enabled.
- Security Vulnerability Research & Defense Bloggers
*Postings are provided “AS IS” with no warranties, and confers no rights.*