"There are thousands of these devices that were shipped," said Carey.

Storms said that although the first thing that comes to mind in a Bluetooth attack scenario is the coffee shop or public Wi-Fi hotspot, there are other subtle and plausible settings. "If someone's desk is next to a window, an attacker could target them, and have all the time in the world to brute force an attack," said Storms.

The four researchers also agreed with Microsoft that users should patch as soon as possible.

That update fixes a "DLL load hijacking" flaw in Visio 2003, a diagramming application that's part of the Office family.

DLL load hijacking, called "binary planting" by some security researchers, is the term used for attacks that rely on tricking applications or operating systems into loading a malicious file with the same name as a legitimate DLL, or dynamic link library.