Exploit released for Windows Mobile flaw

A leading mobile security researcher last week unveiled a new proof-of-concept exploit targeting an unpatched Windows Mobile vulnerability that has been publicly disclosed for over six months.

Researcher Collin Mulliner published the exploit at the 23rd Chaos Communication Congress in Berlin late on Friday. The proof-of-concept code takes advantage of a flaw in the Synchronized Multimedia Integration Language (SMIL) in MMS messages, which is vulnerable to buffer overflows. According to Mulliner's presentation, the user only needs to view the MMS message to trigger the exploit he developed. 

Mulliner tested his exploit on the IPAQ 6315 and i-mate PDA2k, and researchers believe that all Pocket PC 2003 and Microsoft Windows Smartphone 2003 devices could be susceptible to the same type of attack. However, the risk from this particular PoC code is likely limited, experts said. 

"While Collin's discovery is very significant, it does not pose immediate danger to any large group of users," wrote researcher Jarno Niemela on F-Secure's blog. "The only devices for which the proof-of-concept code is available are the IPAQ 6315 and i-mate PDA2k. And even in those devices, the attacker needs to guess the correct memory slot where the MMS processing code is executing and send correctly crafted exploit code. This means that a malicious MMS message will most likely only be able to crash the device, not exploit it." 

Nevertheless, Niemela and other security experts encouraged users to update their firmware regularly to ensure their devices are patched.

Click here to email West Coast Bureau Chief Ericka Chickowski.

Sign up to our newsletters