Microsoft takes second crack at Bluetooth security patch

Microsoft has released a second version of its security update for a Bluetooth security flaw, after discovering the first one didn’t work.

The fix was intended to stop an attacker in proximity of a Bluetooth-enabled PC from sending it malicious packets to gain control of the system. However, the software giant was forced to admit the fix doesn’t work on the most current versions of its Windows XP operating system (OS).

“Our investigation found that while the other security updates were providing protections for the issues discussed in the bulletin, the Windows XP SP2 and SP3 updates were not,” notes Christopher Budd, a Microsoft spokesman.

Budd did not go into any further details about why the patch was flawed, except to say “early on, it appears that there may have been two separate human issues involved” and that an investigation had been launched.

Apple’s “carpet bombing” u-turn

Meanwhile, Apple has reversed its decision not to patch a Safari flaw identified earlier this month, which prompted Microsoft to take the unusual step of warning Windows users off running its rival’s web browser.

Researcher Aviv Raff discovered that PCs are particularly susceptible to the fact that Safari can automatically download certain files without needing the user’s permission, because of the way Windows OS handles executable files on the desktop.

He reported that Apple had told him they did not see the blended threat as an urgent security issue at the time. This was despite the fact he posted code showing how the so-called “carpet bomb” bug can be exploited to litter the victim’s desktop with executable files containing malicious code.

In an about-face, Apple yesterday issued a fix for the 3.1.2 version of its Safari browser for Windows, but not for Macs.

The vendor says the fix also addresses a less critical issue in the way Safari renders Bitmap and Gif images, which could allow attackers to view the contents of a victim’s computer memory.