Security Basics mailing list archives

Re: MS08-030 - Critical (if you do not run bluetooth?)

From: Robin Wood <dninja () gmail com>
Date: Thu, 2 Apr 2009 17:51:15 +0100

2009/3/30 Eggleston, Mark <meggleston () healthpart com>:

What are folks doing about this patch:

"MS08-030 - Critical
Vulnerability in Bluetooth Stack Could Allow Remote Code Execution
(951376)
* This vulnerability only affects systems with Bluetooth capability."

Given the classic risk formula (Risk = Threat x Vulnerability) it is
logical to determine that if your desktops do not have Bluetooth
functionality and user's cannot install such devices, the attack vector
is cut off, so the threat is mostly non-existent, thereby making the
risk negligible.

I am leaning towards patching as just part of good patch management
hygiene, but what would you do if you have no intention to deploy
Bluetooth on your devices?

I told this story on the pauldotcom maillist a while ago but I'll give
a quick summary of it here. A friends lab has a machine that runs a
very critical piece of software, it is a stand alone machine
completely air gapped from everything else. As the software is old and
they have no network connection they never patch the machine just in
case it breaks anything. They also don't run antivirus.

One day virus alerts started popping up and I got a call to
investigate it. Turns out someone had bought a GPRS dongle at
lunchtime and wanted to try it out before going home so they plugged
it into the machine, did some browsing and instantly got owned by one
of the fake antivirus apps.

For me, this emphasises that even if I think the risk is negligible
then I'd still rather have things in place to reduce it further if
possible. Unless there is a very good reason for not installing a
patch I'd install it even if it doesn't currently affect me. What
happens in the future if someone buys a bluetooth presentation clicker
thing and wants that installed, will you remember you didn't install
this patch?

The lab has since plugged their usb ports.

Robin

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online information security
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total
hands-on training experience. Get the certs you need: CEH, CPT, CEPT, CISA, CISSP, CISM

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Current thread:

MS08-030 - Critical (if you do not run bluetooth?) Eggleston, Mark (Apr 02)
- Re: MS08-030 - Critical (if you do not run bluetooth?) Robin Wood (Apr 03)
- Re: MS08-030 - Critical (if you do not run bluetooth?) Chris (Apr 03)
- <Possible follow-ups>
- Re: MS08-030 - Critical (if you do not run bluetooth?) krymson (Apr 03)
- Re: Re: MS08-030 - Critical (if you do not run bluetooth?) ad33lh (Apr 03)