January 31, 2007 12:38 PM PST

Windows Mobile flaws could crash phones

A security firm has found a pair of security bugs in Microsoft's Windows Mobile which, if exploited, could crash phones and other devices running the software.

The vulnerabilities lie in Windows Mobile Internet Explorer and Windows Mobile Pictures and Video, Trend Micro, a Tokyo-based security vendor, said in a pair of security alerts. Viewing a rigged Web page or malicious JPEG image file on a Windows Mobile device will cause it to fail, according to Trend Micro.

"Both of these vulnerabilities are potential denial-of-service factors," Todd Thiemann, director of device security marketing at Trend Micro, said in an interview Tuesday. "What we're seeing over time is an uptick in the threats against smart phones, particularly those running Symbian and Windows Mobile."

Trend Micro has told Microsoft about the problems and has not publicly shared the vulnerability details. "The sky isn't falling. Nobody out there is aware of this," Thiemann said. The company doesn't expect any imminent attacks exploiting the problems, he said.

Microsoft is aware of the issues and is investigating them, a company representative said Wednesday. If needed, the software maker will provide an update to hardware makers for distribution to people who use the Windows Mobile devices, it said. The problems affect Windows Mobile 2003 and Windows Mobile 5.0, according to Trend Micro.

While the number of threats to phones today is low, security experts and analysts agree that situation is likely to change with the advent of smart phones running common operating systems. Security companies, including Trend Micro, are hawking software to shield phones against possible attacks.

Another Word zero-day bug
In addition to the Windows Mobile issues, Microsoft is also investigating a report of yet another vulnerability in Word. Symantec and the French Security Incident Response Team, or FrSirt, say they have spotted a fifth zero-day flaw in the word-processing application. Microsoft, however, says the problem was previously known.

"Microsoft's initial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue," the Microsoft representative said.

The newest problem allows an attacker to hijack systems running Word 2003, Symantec said in an alert Tuesday. The company has advised people to make sure their security software is up to date and urges caution when opening Word documents.

See more CNET content tagged:
Trend Micro Inc., Microsoft Windows Mobile, security company, vulnerability, flaw

20 comments

Join the conversation!
Add your comment
The problem with Windows Mobile flaws
Before anyone accuses me of being the completely anti-Microsoft person that some think be to be (seeing as how they can't take any MS criticism), let me tell you that I am indeed a Windows Mobile user.

There is a problem that many Windows Mobile users, including myself, know all too well. Even if Microsoft releases patches for Windows Mobile, device makers are often slow to release working updates to the users. I own a Dell Axim 50v, and it took until just a short time ago before there were any updates for Windows Mobile 5.0 on the device! Sure, there were plenty of known bugs, but no patches available.

The fault for not getting fixes lies largely on the device manufacturers, and with the growing number of security problems on mobile devices it is clear that they need to step up. Microsoft may be responsible for the existence and patching of the bugs, but someone needs to make updates available for the specific devices!
Posted by ddesy (4336 comments )
Reply Link Flag
So the problem is in the product model.
SW Via M$,
HW Via ??.
I'll get an iPhone (and don't say anything about no office apps,
Word on a smartphone is PAINFUL!!!
Posted by Graham Fluet (31 comments )
Link Flag
Ha, My Dell Axim Runs IE 4
Dell thanks me as a customer by freezing my $350 Axim X30 at 2004. It runs IE version 4. Many sites do not render properly, if it all. A smaller but growing number crash the browser completely. My only option is to fork out money to buy Opera Mini.

If you own a device that runs embedded Windows then you are completely at the mercy of the vendor. Most times they will only support the device for about a year, until the next model comes out. They have no desire for you to keep using the deveice for several years. They want you to throw it out and buy their latest, most expensive model.
Posted by Stating (869 comments )
Link Flag
They crash anyway
My little MPx-220 likes to lock up on its own - it doesn't need any help. But how would you get updates anyway? It's not like MS makes them available. They require a reflash of the ROM in your phone, so you have to wait for the manufacturer to provide one, which on my outdated phone they probably won't.
Posted by robbtuck (132 comments )
Reply Link Flag
crashes indeed
I just came in here to say the same thing. What makes a pocket PC/mobile PC crash? Loading applications on it and starting them. Love the "report an error" pop-up on my screen. It's there so much it's starting to burn in the display.
Posted by mjm01010101 (126 comments )
Link Flag
In MS' defense
In an unusual position on this, I have to defend Microsoft.

Small, flash based systems are not quite so easy to update as
desktops or servers. If you look at the specifications of different
PDAs and Smartphones, I think you will see that they are all very
different and all contain some sort of manufacturer tweaks.

If Microsoft were to provide your classic "Patch Tuesday" type
updates, they could very easily cause problems with these
tweaked devices. This puts them at a distinct disadvantage over
companies like Apple who will control both with the iPhone.
That kind of control will allow Apple to release updates as they
wish.
Posted by ddesy (4336 comments )
Link Flag
Get an iPhone!!!
Be done with all this Widoze BLOAT!!! MS couldn't program their
way out of a paper bag. The real secure OS is coming to an AT&T
or Apple store near you soon. Enjoy the freedom.
Posted by Dr Dude (49 comments )
Reply Link Flag
Touch only phone. I don
Anways
Posted by Akiba (220 comments )
Link Flag
Touch only phone. I dont think so
I would consider getting an iPhone if it wasn't touch screen only and had a keyboard. It may look cool but the usability is crap. Its useless if you aren't looking straight at the screen.
Posted by Akiba (220 comments )
Link Flag
AT&T Freedom? Ha, Ha, Ha, Ha
Freedom from AT&T? I laughed so hard I just fell out of my chair. Fortunately my fall was broken by the AT&T notice telling me that their service fees are going up 30% or more. Let's see, Caller ID is now $7.99, Call Forwarding $3.99. Man I love this freedom. The only thing better would be getting charged to RECEIVE my monthly bill. Oh, how about a fee to process my payment too. That would be great!
Posted by Stating (869 comments )
Link Flag
ah yes, wait years
for Apple to 'invent' a less capable, more expensive, and far less open solution.

Sorry, I actually have to live and work in the present, not sitting around hoping Apple will catch up
Posted by catch23 (436 comments )
Link Flag
Which one Cisco's or Apples???
Cisco owns the IPhone name and I hope they stick it to crapple.
Posted by ittech1 (11 comments )
Link Flag
Which one Cisco's or Apples???
Cisco owns the IPhone name and I hope they stick it to crapple.
Posted by ittech1 (11 comments )
Link Flag
Predictably Microsoft-ish
Does Microsoft create anything that doesn't crash?

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Get a life
Go fix global warming; my Windows Mobile devices are just fine.
Posted by sal-magnone (162 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.