Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Response

The Elephant Under the Carpet (and when I say "elephant," I mean PDA)

Created: 12 May 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:38 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

I’ve had my head in Windows CE and Windows Mobile for what feels like months, looking at the security architecture and the types of threats that will affect these types of devices now and in the future (plug: paper coming soon). As I was drawing to a close on finalizing some last minute edits, I noticed that Microsoft had launched a small sub-section on their Windows Embedded site dedicated to security [1]. Digging a little further, I noticed that in order to access details of the patches available for vulnerabilities in Windows Mobile you needed an OEM agreement in place with Microsoft [2].

This got me really interested. I originally wanted to see if some of the issues Symantec had identified were patchable already. WIth a little more digging I found that you could access the QFE Updates (like Service Packs to the development environment) for Windows CE Platform Builder without needing an OEM agreement [3] (this I presume is due to the fact that anyone can get Platform builder) through the Microsoft download search functionality.

The result of all of this can only be described as surprise, although there where no specific security updates mentioned in the “Windows CE 5.0 Product Update Rollup, December 31, 2005” [4] and “Windows CE 5.0 Update 060131_2006M01” [5] updates the same was not true for Windows CE 4.2. In the update “Windows CE .NET 4.2 Product Update Rollup, December 31, 2005” [6] the following vulnerabilities were resolved:

a) 030925_KB826296 - Security issue resolved: Buffer overrun may happen when calling a function GetMachineName().
b) 040714_KB843373 - Security issue resolved: The edit control may cause a buffer overrun.
c) 031008_KB829492 - ARMV4 only: When attempting to synchronize a POP3 Inbox that contains about 2000 messages, the device may hang, requiring a hard reset. An exception may also occur.
d) 040330_KB837052 - ASN.1 library may be susceptible to an integer overflow when allocating a heap block of a size specified by the BER-encoded ASN1 data. This may result in multiple vulnerabilities.
e) 041028_KB875504 - This update addresses some potential security vulnerabilities in one of the Portable Network Graphics (PNG) decoding libraries used in Windows CE .NET 4.2.
f) 051010_KB908362 - A device when set up as a server can be attacked by a client device.This security update addresses this issue.
g) 040430_KB833270 - Security issue resolved: buffer overrun may occur when using ASP parser on the web server.
h) 050127_KB891786 - This update addresses possible Passport security vulnerability issue.

As you can see from the six digits before the KB number, these are dates. Some of which go back over three years. I have only identified ones which are obviously security issues, there may be more which aren’t as obvious.

In my opinion, mobile devices are no less vulnerable that the desktop. It’s just that the vulnerabilities are not talked about as much.

References:

[1] http://msdn.microsoft.com/mobility/security/default.aspx
[2] http://msdn.microsoft.com/mobility/security/wm/default.aspx
[3] http://msdn.microsoft.com/embedded/usewinemb/ce/criticalupdates/default.aspx
[4] http://download.microsoft.com/download/5/c/1/5c12dff8-de1b-4996-bd8e-ad84ef6e226f/Windows%20CE%205.0_Product_Update_Rollup_2005.htm
[5] http://download.microsoft.com/download/e/8/5/e856c1e2-af39-4a68-a149-8b9f1ad9daf2/Windows%20CE%205.0_Update_060131_2006M01.htm
[6] http://download.microsoft.com/download/7/f/f/7ff144d4-9ffc-4017-94da