MMS Exploit Released for Windows Mobile – No Patch Available

[Symantec]

MMS Exploit Released for Windows Mobile – No Patch Available
<p>Collin Mulliner gave an updated version of his presentation at <a href="https://events.congress.ccc.de/congress/2006/Fahrplan/events/1545.en.html">23C3</a> in Berlin titled ‘<a href="http://www.mulliner.org/pocketpc/feed/pocketpcmms_collinmulliner_23c3.pdf">Advanced Attacks Against PocketPC Phones’ </a> (we originally blogged about it in <a href="http://www.symantec.com/enterprise/security_response/weblog/2006/08/remote_code_execution_on_windo.html">August</a>). As I <a href="http://www.symantec.com/enterprise/security_response/weblog/2006/12/more_on_windows_cemobile_5.html">previously</a> mentioned, one of the vulnerabilities he discussed had, to my knowledge, still not been patched. Well Collin confirmed this in his presentation and also released a working <a href="http://www.mulliner.org/pocketpc/feed/pocketpcmmssmilexploit.tar.gz">exploit</a> for the vulnerability to liven things up a little.</p>

<p>So let’s summarize:<br />
• There has been a publicly disclosed vulnerability for over six months now.<br />
• There is no patch for this vulnerability. <br />
• There is an exploit now out there.<br />
• There is no easy way to patch the vulnerable devices due to the lack of auto updates (try explaining what a firmware update is to your parents).</p>

<p><br />
Now what can we do about this? Well, Collin summarizes the following defense points in his presentation:<br />
• WLAN notification flooding denial of service<br />
o Packet filter / firewall on phone</p>

<p>• MMS message-based attacks (the SMIL exploit)<br />
o IDS / “AntiVirus” on phone<br />
o Mobile phone service provider based IDS / “AntiVirus”</p>

<p>• General SMS/MMS Service Provider Measures<br />
o Filter binary SMS that carry MMS MNotification.ind</p>

<p>• Install firmware updates when available!!!</p>

<p>These pretty much summarize the key points; however, Collin also mentions in his presentation, “User only needs to view the message to trigger exploit.” So I would add, only view MMSs from trusted sources.</p>

<p>On that note, Happy New Year everyone! And remember, just because it doesn’t look like a computer doesn’t mean it can’t be owned.</p>

<p></p>

<p></p>

<p><br />
</p>
http://www.symantec.com/enterprise/security_response/weblog/2006/12/mms_exploit_released_for_windo.html
http://www.symantec.com/enterprise/security_response/weblog/2006/12/mms_exploit_released_for_windo.html
Sat, 30 Dec 2006 10:30:00 -0800