Windows Mobile flaws could crash phones

A security firm has found a pair of security bugs in Microsoft's Windows Mobile which, if exploited, could crash phones and other devices running the software.

The vulnerabilities lie in Windows Mobile Internet Explorer and Windows Mobile Pictures and Video, Trend Micro, a Tokyo-based security vendor, said in a pair of security alerts. Viewing a rigged Web page or malicious JPEG image file on a Windows Mobile device will cause it to fail, according to Trend Micro.

"Both of these vulnerabilities are potential denial-of-service factors," Todd Thiemann, director of device security marketing at Trend Micro, said in an interview Tuesday. "What we're seeing over time is an uptick in the threats against smart phones, particularly those running Symbian and Windows Mobile."

Trend Micro has told Microsoft about the problems and has not publicly shared the vulnerability details. "The sky isn't falling. Nobody out there is aware of this," Thiemann said. The company doesn't expect any imminent attacks exploiting the problems, he said.

Microsoft is aware of the issues and is investigating them, a company representative said Wednesday. If needed, the software maker will provide an update to hardware makers for distribution to people who use the Windows Mobile devices, it said. The problems affect Windows Mobile 2003 and Windows Mobile 5.0, according to Trend Micro.

While the number of threats to phones today is low, security experts and analysts agree that situation is likely to change with the advent of smart phones running common operating systems. Security companies, including Trend Micro, are hawking software to shield phones against possible attacks.

Another Word zero-day bug
In addition to the Windows Mobile issues, Microsoft is also investigating a report of yet another vulnerability in Word. Symantec and the French Security Incident Response Team, or FrSirt, say they have spotted a fifth zero-day flaw in the word-processing application. Microsoft, however, says the problem was previously known.

"Microsoft's initial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue," the Microsoft representative said.

The newest problem allows an attacker to hijack systems running Word 2003, Symantec said in an alert Tuesday. The company has advised people to make sure their security software is up to date and urges caution when opening Word documents.

[ddesy]

The problem with Windows Mobile flaws

Before anyone accuses me of being the completely anti-Microsoft person that some think be to be (seeing as how they can't take any MS criticism), let me tell you that I am indeed a Windows Mobile user.

There is a problem that many Windows Mobile users, including myself, know all too well. Even if Microsoft releases patches for Windows Mobile, device makers are often slow to release working updates to the users. I own a Dell Axim 50v, and it took until just a short time ago before there were any updates for Windows Mobile 5.0 on the device! Sure, there were plenty of known bugs, but no patches available.

The fault for not getting fixes lies largely on the device manufacturers, and with the growing number of security problems on mobile devices it is clear that they need to step up. Microsoft may be responsible for the existence and patching of the bugs, but someone needs to make updates available for the specific devices!

[Graham Fluet]

So the problem is in the product model.

SW Via M$,
HW Via ??.
I'll get an iPhone (and don't say anything about no office apps,
Word on a smartphone is PAINFUL!!!

[Stating]

Ha, My Dell Axim Runs IE 4

Dell thanks me as a customer by freezing my $350 Axim X30 at 2004. It runs IE version 4. Many sites do not render properly, if it all. A smaller but growing number crash the browser completely. My only option is to fork out money to buy Opera Mini.

If you own a device that runs embedded Windows then you are completely at the mercy of the vendor. Most times they will only support the device for about a year, until the next model comes out. They have no desire for you to keep using the deveice for several years. They want you to throw it out and buy their latest, most expensive model.

[robbtuck]

They crash anyway

My little MPx-220 likes to lock up on its own - it doesn't need any help. But how would you get updates anyway? It's not like MS makes them available. They require a reflash of the ROM in your phone, so you have to wait for the manufacturer to provide one, which on my outdated phone they probably won't.

[mjm01010101]

crashes indeed

I just came in here to say the same thing. What makes a pocket PC/mobile PC crash? Loading applications on it and starting them. Love the "report an error" pop-up on my screen. It's there so much it's starting to burn in the display.

[ddesy]

In MS' defense

In an unusual position on this, I have to defend Microsoft.

Small, flash based systems are not quite so easy to update as
desktops or servers. If you look at the specifications of different
PDAs and Smartphones, I think you will see that they are all very
different and all contain some sort of manufacturer tweaks.

If Microsoft were to provide your classic "Patch Tuesday" type
updates, they could very easily cause problems with these
tweaked devices. This puts them at a distinct disadvantage over
companies like Apple who will control both with the iPhone.
That kind of control will allow Apple to release updates as they
wish.

[Dr Dude]

Get an iPhone!!!

Be done with all this Widoze BLOAT!!! MS couldn't program their
way out of a paper bag. The real secure OS is coming to an AT&T
or Apple store near you soon. Enjoy the freedom.

[Akiba]

Touch only phone. I don

Anways

[Akiba]

Touch only phone. I dont think so

I would consider getting an iPhone if it wasn't touch screen only and had a keyboard. It may look cool but the usability is crap. Its useless if you aren't looking straight at the screen.

[Stating]

AT&T Freedom? Ha, Ha, Ha, Ha

Freedom from AT&T? I laughed so hard I just fell out of my chair. Fortunately my fall was broken by the AT&T notice telling me that their service fees are going up 30% or more. Let's see, Caller ID is now $7.99, Call Forwarding $3.99. Man I love this freedom. The only thing better would be getting charged to RECEIVE my monthly bill. Oh, how about a fee to process my payment too. That would be great!

[catch23]

ah yes, wait years

for Apple to 'invent' a less capable, more expensive, and far less open solution.

Sorry, I actually have to live and work in the present, not sitting around hoping Apple will catch up

[ittech1]

Which one Cisco's or Apples???

Cisco owns the IPhone name and I hope they stick it to crapple.

[ittech1]

Which one Cisco's or Apples???

Cisco owns the IPhone name and I hope they stick it to crapple.

[wbenton]

Predictably Microsoft-ish

Does Microsoft create anything that doesn't crash?

Walt

[sal-magnone]

Get a life

Go fix global warming; my Windows Mobile devices are just fine.