FAQ Profile Memberlist Usergroups Register
Log in to check your private messagesLog in to check your private messages -> Log in  
Vulnerability Found in IE Mobile

 
Post new topic   Reply to topic    Smartphone Thoughts Forum Index -> NEWS Printable version
View previous topic :: View next topic  
Author Message
Mike Temporale
Managing Editor


Joined: 07 Jul 2003
Posts: 9066
Location: Toronto, Canada
PostPosted: Thu Feb 01, 2007 10:00 am    Post subject: Vulnerability Found in IE Mobile Reply with quote
http://hardware.silicon.com/pdas/0,...5576,00.htm?r=1

"The vulnerabilities lie in Windows Mobile Internet Explorer and Windows Mobile Pictures and Video, Trend Micro said in a pair of security alerts. Viewing a rigged web page or malicious JPEG image file on a Windows Mobile device will cause it to fail, according to the security vendor. ...Trend Micro has told Microsoft about the problems and has not publicly shared the vulnerability details. Thiemann said: "The sky isn't falling. Nobody out there is aware of this." The company doesn't expect any imminent attacks exploiting the problems, he said."

Well, nobody out there was aware of the problem until you made this press release. Rolling Eyes Anyway, they sure make it sound a lot worse than it is. I'm sure it's just the first of a number of bugs that will be uncovered over time. Bugs are almost impossible to avoid. They're going to happen. Microsoft needs to work hard to ensure that any bug can't bring down the entire OS. I'm also thrilled to know that companies like Trend Micro have nothing better to do with their time and money except tear apart software looking for ways to scare people into buying their software. Confused
_________________
"I have no special talents, I am only passionately curious" - Albert Einstein
Back to top
View user's profile Send private message Visit poster's website
Rocco Augusto
Contributing Editor


Joined: 28 May 2005
Posts: 1236
Location: Portland, OR
PostPosted: Thu Feb 01, 2007 11:30 am    Post subject: Reply with quote
i never understood companies like this. if this flaw wasn't a real "threat" and no one knew about it and they informed Microsoft of the bug... why oh why would you make a press release?!?!
_________________
Smartphone Thoughts
Contributing Editor
Back to top
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger
stevew
Smartphone Ponderer


Joined: 20 Nov 2004
Posts: 95
Location: Port Orange, Fl
PostPosted: Thu Feb 01, 2007 3:54 pm    Post subject: Reply with quote
"Viewing a rigged web page or malicious JPEG image file on a Windows Mobile device will cause it to fail,"

Cause what to fail? If it's just the web page or image will fail to load correctly, so what.

If it causes the device to fail, how so?
_________________
Samsung i607/Cingular BlackJack
If it ain't Black take it back 
Back to top
View user's profile Send private message
davezack
Smartphone Neophyte


Joined: 02 Feb 2007
Posts: 1
PostPosted: Fri Feb 02, 2007 7:23 am    Post subject: Reply with quote
Rocco Augusto wrote:
i never understood companies like this. if this flaw wasn't a real "threat" and no one knew about it and they informed Microsoft of the bug... why oh why would you make a press release?!?!


The reason is actually a valid one: Do you think Microsoft (or most other large corporations) are eager to invest the time and money into patch development to fix issues with already released products? Issuing a press release like this one gives the consumers just enough information to pressure Microsoft to release a patch without giving the specifics as to how to expoit the vulnerability. It's a way to add a little extra incentive for Microsoft to do the right thing and correct the problem *before* it is discovered by someone who intends to use it for malicious purposes.

As for Mike's post, I have to say that I'm disappointed to find those types of comments on this site - they read like a fanboy flame on Slashdot. Arguing that bugs and security vulnerabilities are a fact of life and that this somehow excuses Microsoft for their inadequate testing procedures and then turning the blame on Trend Micro for daring to look for flaws in the first place is ridiculous. Sure, Trend Micro is in the business to make money, but if you don't see the value in having companies proactively searching for vulnerabilities so they can notify Microsoft before "the bad guys" find it, then you really don't get it. There will always be flaws in software. And each time a flaw makes its way into a production application, the software vendor should be held accountable and use that as an opportunity to improve their testing procedures to make sure that type of flaw never slips through the cracks again. And since Microsoft isn't willing to invest the resources into looking for problems in their own software, that leaves a gap that companies like Trend Micro, Symantec, McAfee and others need to step into and help provide an added layer of security between the good guys and the bad. Trend Micro didn't create the software vulnerability - Microsoft did. And nowhere in their press release did TM overexaggerate the risk to try and boost software sales - in fact, they very clearly stated that "the sky isn't falling" and that they don't expect anyone to immediately exploit the vulnerability.

And no, I don't work for Trend Micro or any other anti-virus vendor. I just happen to have over 15 years in computer security and software development and couldn't let this post slide by without comment.

dz
Back to top
View user's profile Send private message
Mike Temporale
Managing Editor


Joined: 07 Jul 2003
Posts: 9066
Location: Toronto, Canada
PostPosted: Fri Feb 02, 2007 1:43 pm    Post subject: Reply with quote
davezack wrote:
Arguing that bugs and security vulnerabilities are a fact of life and that this somehow excuses Microsoft for their inadequate testing procedures and then turning the blame on Trend Micro for daring to look for flaws in the first place is ridiculous.


Slow down and take a breath Dave. That's not what I said at all. I said that bugs are a fact of life. If you've been developing that long then you should know that. No application can ever be 100% bug free from the start. At least not now. Maybe in 10 years or so.

At no point did I say that was an excuse for Microsoft's inadequate testing. In fact I said that Microsoft needs to work hard to ensure that any bug can't cripple the entire OS. This is called good design - making sure that a bug doesn't bring the whole world to a standstill is an effective way to manage bugs. Which we talked about in above, are going to happen. I'm not saying that they are free to code poorly as long as the bug is limited in the damage it does. I'm saying they need to write effective error traps to help prevent bugs from destroying the world.

And finally, I don't think I blamed TrendMicro for anything. I find their motives questionable. But hey, fear sells and I guess I can't blame them for trying to sell their app. Wink
_________________
"I have no special talents, I am only passionately curious" - Albert Einstein
Back to top
View user's profile Send private message Visit poster's website
Janak Parekh
Rogue Pocket PC Thoughts Editor


Joined: 30 Jun 2003
Posts: 313
Location: New York, NY
PostPosted: Fri Feb 02, 2007 11:15 pm    Post subject: Reply with quote
Mike Temporale wrote:
I said that bugs are a fact of life. If you've been developing that long then you should know that. No application can ever be 100% bug free from the start. At least not now. Maybe in 10 years or so.

That's true, but certain classes of bugs should not exist today. A particular peeve of mine: there should not be any buffer overflows in software today. There simply isn't any excuse, period. (That said, I have no idea if these flaws in particular are buffer overflows. But the fact that new vulnerabilities keep on getting announced on multiple platforms with buffer overflows... sigh.)

Anyway, I've gotta agree with davezack. Where have the exploits been posted? The article talks in the most general of ways. Moreover, I don't see a PR on Trend Micro's site. Nor is the article hawking the particular product used to defend the mobile device. Is Trend Micro purely altruistic? Of course not. But I see absolutely nothing wrong with this article.

--janak
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Smartphone Thoughts Forum Index -> NEWS All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You can vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Copyright 2004 Jason Dunn | Web design & development by Fabrizio Fiandanese