Publish malicious code to attack Windows Mobile

A malicious code could attack mobile devices running Windows Mobile through a security flaw in the recently announced MMS multimedia messaging service.

The security flaw mentioned above was discovered by security researcher Collin Mulliner more than 6 months ago.

Over the weekend, Mr. Mulliner decided to publicly announce this security flaw at the Chaos Communication Congress conference with the goal of putting pressure on manufacturers to pay attention and fix bugs.

The MMS multimedia messaging service security error in Windows Mobile is actually a buffer overflow error in the MMS SMIL (Synchronized Multimedia Integration Language) procedure.

If using a long MMS message has "implanted" malware, a malicious attacker could completely make the mobile phone stop working.

IPAQ 6315 and i-mate PDA2K have been proven to have the above security flaws. However, security expert Mulliner said mobile devices using Pocket PC 2003 and Windows Smartphone 2003 could face the risk of being attacked.

Meanwhile, security firm F-Secure does not appreciate the security flaw mentioned above, because to be successful, an attacker must know exactly which MMS is being processed on memory. Therefore, this error is not easily attacked at all. A malicious MMS message of this type can only cause the device to stop working rather than infecting malicious code.

" Although this is a real security bug, it does not pose a threat to most users. Although it can be taken advantage of to create an MMS worm or any other type of malware. But it will not infect the user's device , "said Jarno Niemela, F-Secure's security researcher.

Hoang Dung