| View previous topic :: View next topic |
| Author |
Message |
msmobiles.com_robot
Joined: 23 Mar 2004
Posts: 16777215
|
 Posted: Sat Dec 30, 2006 6:49 pm Post subject: Code of MMS Exploit for Windows Mobile released - but STILL no patch available |
 |
|
Thought this might be interesting to you guys. Bascially the actual code required to exploit a security vulnerability in the MMS client on Windows Mobile has been released.
Shortly speaking: now malware writers c...
Read more at http://www.msmobiles.com/news.php/5903.html |
|
| Back to top |
|
 |
gilesjuk
Joined: 22 Jan 2005
Posts: 312
|
| Posted: Sat Dec 30, 2006 9:26 pm Post subject: |
|
|
| Shows how much attention Windows Mobile is given at Microsoft. |
|
| Back to top |
|
|
AlanJC
Joined: 17 May 2006
Posts: 21
|
| Posted: Sat Dec 30, 2006 10:07 pm Post subject: |
|
|
Are we sure this works on all PPC devices with MMS capability?
What about different AKU versions?
Also, bear in mind Microsoft don't make the MMS utility, it's usually Arcsoft on the ones HTC make.
So I'm not sure if really Microsoft should be responsibility for bugs in someone elses program. Note this security alert is specifically against MMS, not email, which could have the same files sent to it, I don't know if it's their problem at all. |
|
| Back to top |
|
|
MaxiKing
Joined: 01 Jan 2007
Posts: 3
|
| Posted: Mon Jan 01, 2007 8:43 pm Post subject: |
|
|
I somehow feel delighted ...
... that this bunch of completely incompetent security newbies at msmobiles.com got their foolish statements shoved up the a...!
Any grown-up computer user who has half-a-brain left would know that with the widespread use of Windows Mobile and the numerous distribution vectors like mail, SMS, MMS, Bluetooth one day these devices would be targeted.
Now you have seen the advent of a new generation of Viruses, ones that can send Premium SMS or silently call a toll-number on the Cayman Islands in the middle of the night. Even worse - not 1% of the users has any protection.
Now for everyone's sake - revisit you articles below, say sorry and then get people to protect their phones or their phone bill might be in the thousands of dollars. Guess how popular Windows Mobile will be for those folks!
Maxi
Check that rubbish out - biased and dangerous:
AntiVirus 4.0 for Windows Mobile released by Symantec
http://msmobiles.com/news.php/5717.html
Symantec, the company that makes annoying anti-virus software that is included with several notebooks and PCs - and that works under condition that you have to pay after some time (extortion?) - is now targeting also Windows Mobile increasingly. It looks like their PC software business may shrink due to imminent release of Windows Vista that is well protected, so no wonder Symantec embraces more warmly Windows Mobile all of a sudden...
Our verdict: this anti-virus software is not worth buying.
Trend Micro Mobile Security 3.0 released although nobody needs it
http://msmobiles.com/news.php/5771.html |
|
| Back to top |
|
|
cucci
Joined: 13 Oct 2006
Posts: 49
|
| Posted: Mon Jan 01, 2007 10:12 pm Post subject: |
|
|
Please note....
The previous posting was from ' A grown-up computer user with half-a-brain left '.
Just thought you'd all like to know..... |
|
| Back to top |
|
|
s3ntinel
Joined: 13 Sep 2005
Posts: 65
|
| Posted: Tue Jan 02, 2007 12:48 pm Post subject: |
|
|
It had to come here too, security is not quite so black and white. Everyone buying the sky falling on your head protector, please go and read the original avisory. This is not a silent attack, and Symbian will still be attacked because Windows Mobile devices with phone connectity are still not widely spread enough to provide 'bang for buck' (Yet!).
Mobile AV is still snake oil ... period!  |
|
| Back to top |
|
|
s3ntinel
Joined: 13 Sep 2005
Posts: 65
|
| Posted: Tue Jan 02, 2007 3:58 pm Post subject: |
|
|
Oh and BTW, this is stated to be for WM2003 and would cost approx €0.49 per MMS. Not really a mass exploit, even for cyber criminals. The WM market has really taken off since WM5, which is so far not vulnerable.
Symbian is more targetted as more phones that are not market as being 'Smartphones' are available with the Symbian O/S as opposed to the WM O/S which is on 'Smartphones' or PDAs. The only device not being marketed in this way so far is the Lobster. |
|
| Back to top |
|
|
MaxiKing
Joined: 01 Jan 2007
Posts: 3
|
| Posted: Tue Jan 02, 2007 10:14 pm Post subject: |
|
|
| Quote: | | This is not a silent attack, and Symbian will still be attacked because Windows Mobile devices with phone connectity are still not widely spread enough to provide 'bang for buck' (Yet!). |
That's a great reply - what's the point in referring to Symbian when it comes to the fact that ANY operating system is vulnerable! Childish.
| Quote: | | Oh and BTW, this is stated to be for WM2003 and would cost approx €0.49 per MMS. Not really a mass exploit, even for cyber criminals. |
And you think they would pay for the distribution? You would - for all people in the contact list. And they would for their contacts. What if someone published a "Shareware game" with a hidden payload that would start sending malicious MMS after 30 days and get the "Virus" going? And then all those phones might call toll numbers in the Carribean at 2 in the morning local time.
| Quote: | | Mobile AV is still snake oil ... period! |
... and this definitely does not help against ignorance.
I don't say that I like the pricing of Mobile AV or the marketing of those vendors, but face the fact that you have a 400 Mhz Windows device that has an Internet connection and no firewall. And you can use that device to call toll numbers, just as dialers did before everyone switched to DSL and Cable modems.
Face it: This is common sense!
Maxi |
|
| Back to top |
|
|
s3ntinel
Joined: 13 Sep 2005
Posts: 65
|
| Posted: Tue Jan 02, 2007 10:22 pm Post subject: |
|
|
Maxi, why would cybercriminals target a mobile device when they have plenty botnet PCs to target? 50,000 from MS06-040 alone!
I work in security, and fail to see the real threat here. A security researcher has been playing and found an exploit that works on some devices and not others.
Have you tried sending an MMS recently? Most of the time it ends up as being a URL instead of the actual MMS.
The relevance of Symbian, BTW, is not 'cos I hate Symbian but that you don't try to hit a niche target area when trying to earn money.
Yes these are devices that sometimes have internet connectivity, but it's often below 56k and too expensive for people to activate.
Wait until 3G/HSDPA becomes mainstream and then that's a different issue, but until then this is still snake oil. Read the PPT presentation and look at everything that was setup in the lab, this really isn't more then a POC.
Now I'm not stating that there will never be a threat, but at the present moment if I stand in the Atlantic off the West coast of Scotland with a White Shark scarer and there are no White Sharks there does that mean that it works?
The sea off Tyree is warmed by the Gulf Stream so the conditions are there, so surely the scarer works? Of course not, now with Global warming, things may change and the need to sustain the white sharks might mean that they move there and the scarer becomes useful, but until such time it is snake oil.
Mobile AV is the same, show me an AV vendor that detects against exploit code itself, and they are very few and far between, they wait for a viral threat to come along and then detect that with a signature.
So you need to constantly update your Mobile AV to protect against any known threat that is there. That is their business model, so you spend most of your data allowance in trying to become protected against a threat that isn't happening yet; this drives a reliance on the annual subscription to the AV vendor. |
|
| Back to top |
|
|
MaxiKing
Joined: 01 Jan 2007
Posts: 3
|
| Posted: Wed Jan 03, 2007 11:45 am Post subject: |
|
|
| Quote: | | Maxi, why would cybercriminals target a mobile device when they have plenty botnet PCs to target? |
Because very few of these are still using dial-up connections that allow you to "charge" the user. Instead you hijack their broadband connection to send SPAM. 5 Mobile phones can probably create more cash than 10000 PCs. I think you should be able to send toll SMS or call toll numbers worth 500$ per night (3$ per minute ~ 2 hours silently calling while recharging the battery in the night)
30 nights per month * 5 devices = 75000$ (In the ideal world, maybe 20000$ in real life.) Now imagine you hijack 50 phones.
| Quote: | | I work in security, and fail to see the real threat here. A security researcher has been playing and found an exploit that works on some devices and not others. |
A researcher has proven that it can be done. Criminals will have a look and do the math. Once there is an exploit it might spread relatively quickly and noone has an AntiVirus, Patch Management or call blocker installed. That's an attack on the greenfield and once they are successful it might get worse as you easily can earn a few 100.000$ per attack.
That's the threat. If you do it right, you can be very rich.
| Quote: | | Have you tried sending an MMS recently? Most of the time it ends up as being a URL instead of the actual MMS. |
I am not talking about MMS only. I stated that there are plenty of vectors: The bluetooth stack, the WiFi stack and above all the whole TCP/IP system, that in fact creates an Internet connection with the same risks you have on your desktop machine.
I think we have both made our points so there is no reason to go back and forth now, but I would feel much better if Mobile phone operators would license an AV for general use from those companies and would include it in their offering.
If Symantec AV for Symbian or Windows Mobile could be downloaded and activated by having a valid phone contract, I would feel much better and if they charge my operator 30c per user per month it would be okay for me. They don't necessary need to spot the exploit code, but might be able to keep an updated list of numbers and receipients that get blocked - no calls, no messages.
Maxi |
|
| Back to top |
|
|
Sterdickup66
Joined: 09 Jan 2007
Posts: 2
|
|
| Back to top |
|
|
Addickder
Joined: 10 Jan 2007
Posts: 3
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
