Video Screencast Help
Symantec Appoints Michael A. Brown CEO. Learn more.
Security Response

Security Issues & COTS Mobile Operating Systems – Some Very Rough Numbers

Created: 20 Nov 2007 08:00:00 GMT • Updated: 23 Jan 2014 18:44:31 GMT
Ollie  Whitehouse's picture
0 0 Votes
Login to vote

I was interested in getting some rough numbers on publicly disclosed vulnerabilities in Symbian and Windows CE/Mobile platforms and applications. I cannot say with any degree of confidence that what I present below is reflective, simply due to the fact that different bugs get categorized under different vendors, platforms, or keywords. What I can document is the method I used to arrive at the below numbers. I used cve.mitre.org and did the following:

• searched by vendor, platform for Windows Mobile & Windows CE
• searched for keyword MMS picking out those relevant
• searched for keyword SMS picking out those relevant
• searched for keyword Symbian
• searched for keyword Nokia picking out those relevant

So the summary is that there are 16 for Windows CE/Mobile and six for Symbian. I guess this demonstrates people are finding vulnerabilities in these two platforms. If we take out the third party applications on Windows CE/Mobile (i.e. those outside of core functionality) we get nine, versus Symbian’s six. Once we do this the numbers are pretty close.

Below are all the CVE’s I found – make of it what you will. As I said the method I used to come up with these numbers isn’t the most sound, but at least hopefully it is indicative. What it also shows us is that Bluetooth was the biggest nightmare to-date for handset manufacturers. We can also see that there seems to be an increasing number of bugs in recent years.

Hopefully this upward trend and the range of software components vulnerabilities are being found in will make everyone more aware of the need for security in this space before it’s too late.

Windows CE/Mobile

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5493 - SMS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5460 - ActiveSync
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3445 - 3rd Party VoIP
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3362 - 3rd Party VoIP
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3351 - 3rd Party VoIP
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2883 - 3rd Party Security
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0878 - Browser
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0685 - Browser
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0674 - JPG Parsing
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0111 - 3rd Party Image Processing
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6908 - 3rd Party Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-6902 - Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4614 - 3rd Party Security
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4132 - MMS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4131 - MMS
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2001-0162 - Networking

Symbian

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0523 - Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0521 - Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-4464 - Browser
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-0797 - Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-1809 - Bluetooth
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-0681 - Bluetooth