The folks at Airscanner have done some careful research on AS 3.x's network syncing, and have found that it's possible to send a packet to a machine running AS with LAN sync enabled that makes AS ask the user for the Pocket PC's password, and then returns the result to the attacker. While this doesn't imply a compromise per se (unless they manage to steal your Pocket PC as well), it could be problematic if people reuse their passwords for multiple resources (e.g., a bank PIN).
What does this mean for you? Here are some "best practices" given the scenario.
- If you're not using LAN/WiFi ActiveSync, make sure it's turned off in the connection settings in AS (this is now the default for new installs of AS 3.8 ).
- Use a unique password for your Pocket PC. Be careful as to when you type it in (i.e., don't randomly type it in if you're not syncing).
- If you're using ActiveSync on a home network behind a router/firewall, you're probably fine, as the attacker wouldn't be able to access port 5679.
- If you're using ActiveSync on a machine directly connected to the Internet, either turn off LAN sync or firewall it.
- And finally, if you're in a large corporate network, exercise caution (and firewall the AS port if you can -- while outside attackers are the first priority, one could have an internal attacker in a large network).
There's no exploit code at the above link, but a determined attacker could certainly write some. I'm sure this is one of the integral scenarios that Microsoft envisioned when disabling LAN sync in AS 4.0. I hope the Mobile Devices group does see fit to do a redesign and reintroduce this feature in later versions.