In May of 2006, for my second blog post for Symantec, I penned an entry entitled, "The Elephant Under the Carpet (and when I say 'carpet' I mean PDA). " The purpose of that post was to dispel the myth that Windows CE (and thus Windows Mobile) doesn't have security issues, and to point out that Microsoft had silently patched a number of security-related bugs. At that time, I couldn't see any Windows CE 5.0 security issues patched by Microsoft. This didn't seem right, so I decided it was time to review the situation. This blog post is an update to cover some issues since then.
If you look at Microsoft's Windows CE Critical Updates and Security site,  you'll see that there are no issues listed. It's important to point that, due to Microsoft's restrictions around getting information with regards to Windows Mobile, I will only be analyzing public information on Windows CE. The result is that there are potentially other vulnerabilities in the components that are unique to Windows Mobile or that aren't immediately obvious as being security issues due to their descriptions.
The first port of call for analysis is the end of year rollup for 2006 . Looking for issues that are obviously security related, we see:
- Component MSXML
a) 061130_KB918456 - This security update addresses areas such as cross-site scripting attacks, crashing MSXML, and putting the operating system into infinite loops.
- Component .NET Compact Framework
b) 041201_KB890061 - .NET Compact Framework update for Windows CE 5.0. Specifically - Memory corruption may occur on devices that have the native security model enabled and both .NET CF V1 SP3.
Other bugs which aren't clear but sound suspiciously like security issues:
- Component Jscript
d) 060602_KB918755 - An access violation may occur when a user attempts to open certain Web sites.
Although that's not bad for a year, looking at the January monthly update,  we see one other security issue:
e) 070118_KB930642 - Security update. Vulnerability in TCP/IP could allow denial of service.
Surprisingly, 070118_KB930642 is actually the IGMP vulnerability mentioned in MS06-007 . According to my notes, we actually informed Microsoft on the day of release of the original advisory (14th of February 2006) that it affected Windows CE in addition to other Windows versions. On the 26th of February 2007 (yes, over a year later) we were told that this was resolved in Windows Mobile 6 (i.e. CE 5.02). I don't know about the Windows Mobile 5 handsets, as we were not informed of the status of it - but I suspect I know the answer. The result is that all the existing Windows CE 5 and Windows Mobile 5 devices and handsets out there are susceptible to this remote denial of service. While handsets connected to a cellular operator's network via GPRS or UMTS are somewhat protected by inter-subscriber filtering, the same cannot be said of those on an 802.11 connection unless there is specific filtering in place. So, in short, if you use a Windows Mobile 5 or Windows CE 5 device on an 802.11 connection, and you don't have a personal firewall installed, you run the risk of being susceptible to this denial of service condition.
So, in summary, bugs are still being found in Windows CE (and thus Windows Mobile), some of which are being reported to OEMs (we're aware of at least some other previous Microsoft advisories which also apply to CE/Mobile but to this day still don't indicate the fact); however, it would seem that user awareness is not high in the list of priorities. One does hope that, with the advent of Windows Mobile 6 and the inclusion now of Windows Update, this can change moving forward.
 Windows CE Critical Updates and Security
 Windows CE Updates
 Windows CE 5.0 Platform Builder - Cumulative Product Update Rollup Package (through 12/31/2006)
 Windows CE 5.0 Platform Builder Monthly Update (January 2007)<
 A malformed IGMP packet may cause a Windows CE 5.0-based device to stop processing network requests
 Vulnerability in TCP/IP Could Allow Denial of Service (913446)