Security Basics mailing list archives
Re: MS08-030 - Critical (if you do not run bluetooth?)
From: Robin Wood <dninja () gmail com>
Date: Thu, 2 Apr 2009 17:51:15 +0100
2009/3/30 Eggleston, Mark <meggleston () healthpart com>:
What are folks doing about this patch: "MS08-030 - Critical Vulnerability in Bluetooth Stack Could Allow Remote Code Execution (951376) * This vulnerability only affects systems with Bluetooth capability." Given the classic risk formula (Risk = Threat x Vulnerability) it is logical to determine that if your desktops do not have Bluetooth functionality and user's cannot install such devices, the attack vector is cut off, so the threat is mostly non-existent, thereby making the risk negligible. I am leaning towards patching as just part of good patch management hygiene, but what would you do if you have no intention to deploy Bluetooth on your devices?
I told this story on the pauldotcom maillist a while ago but I'll give a quick summary of it here. A friends lab has a machine that runs a very critical piece of software, it is a stand alone machine completely air gapped from everything else. As the software is old and they have no network connection they never patch the machine just in case it breaks anything. They also don't run antivirus. One day virus alerts started popping up and I got a call to investigate it. Turns out someone had bought a GPRS dongle at lunchtime and wanted to try it out before going home so they plugged it into the machine, did some browsing and instantly got owned by one of the fake antivirus apps. For me, this emphasises that even if I think the risk is negligible then I'd still rather have things in place to reduce it further if possible. Unless there is a very good reason for not installing a patch I'd install it even if it doesn't currently affect me. What happens in the future if someone buys a bluetooth presentation clicker thing and wants that installed, will you remember you didn't install this patch? The lab has since plugged their usb ports. Robin ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute No time or budget for traveling to a training course in this fiscal year? Check out the online information security courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total hands-on training experience. Get the certs you need: CEH, CPT, CEPT, CISA, CISSP, CISM http://www.infosecinstitute.com/request_online_training.html ------------------------------------------------------------------------
Current thread:
- MS08-030 - Critical (if you do not run bluetooth?) Eggleston, Mark (Apr 02)
- Re: MS08-030 - Critical (if you do not run bluetooth?) Robin Wood (Apr 03)
- Re: MS08-030 - Critical (if you do not run bluetooth?) Chris (Apr 03)
- <Possible follow-ups>
- Re: MS08-030 - Critical (if you do not run bluetooth?) krymson (Apr 03)
- Re: Re: MS08-030 - Critical (if you do not run bluetooth?) ad33lh (Apr 03)