Anilrgowda

I got my first Windows Mobile device in 2004, a Telecom New Zealand HTC Falcon Smartphone phone running the Windows for PocketPC 2002 variant of the Microsoft’s operating system for handhelds and the next year, the EV-DO Rev 0 enabled HTC Harrier, with Windows Mobile 2003 Second Edition loaded. I really liked the phones, but being used to Windows in general, one of the first things I looked for was an update function of some kind, to apply bug fixes and security patches.

There was none. I thought this was remarkable at the time, and interviewed Microsoft about it for the Virus Bulletin. Microsoft downplayed the risks and basically said “try not to get infected”, a response that didn’t satisfy Michael Moser of IBM Research GmbH in Switzerland, who wrote a follow-up story in Virus Bulletin critical about Microsoft’s approach to security for Windows Mobile devices.

The original alert about the MMS exploit came via Ollie Whitehouse at Symantec’s security blog. Whitehouse points to Colin Mulliner’s working exploit using SMIL (Synchronized Multimedia Integration Language). All you need to do to make use of the exploit is to send an MMS with the malicious code to someone. If that person views the MMS message, s/he’s “0wn3d” (Colin lists multiple exploits in fact, with effects ranging from remote Denial of Service to execution of arbitrary code on the device being attacked).

I talked to Geekzone’s resident expert on mobile devices in general and Windows Mobile in particular, Mauricio Freitas about the MMS exploit. He points out that the MMS clients are supplied by third-party vendors and not Microsoft. The vendors in question should release fixes as soon as possible, and Mauricio also thinks it’s irresponsible to release a working exploit while there’s no patch for the vulnerability. It should also be noted that Symantec has what could be deemed a conflict of interest here, as it offers security solutions for mobile devices.

In principle, I agree with Mauricio here. At the same time though, Colin Mulliner reported the vulnerability to Microsoft and Arcsoft in July last year, and disclosed it on Bugtraq in August. It’s now January 2007, so where are the patches? Well, there are none. This goes back to what I discovered in 2005, that urgent security maintenance on Windows Mobile (or should I say, Windows CE?) is almost impossible.

When it comes to something like the MMS exploit, vendors have to develop a patch, make sure it passes Microsoft’s scrutiny and then test it with their manufacturer and carrier partners around the world. What’s more, the patch wouldn’t be distributed via Microsoft or the vendor, but through the carrier partners. This is a slow and cumbersome process with customers being left vulnerable for months if not years on end.

Is this really acceptable? Windows Mobile devices are in many cases deployed by corporate customers whose users hook them up to the workplace network. Sure, you can add firewalling and even put an anti-virus or malware detector on the WM device, but surely it would be better plug the vulnerability instead?

Maybe it’s time for Microsoft to rethink how it manages Windows Mobile security before a mass attack happens.