Log in

View Full Version : Vulnerability Found in IE Mobile


Mike Temporale
02-01-2007, 05:00 PM
<div class='os_post_top_link'><a href='http://hardware.silicon.com/pdas/0,39024643,39165576,00.htm?r=1' target='_blank'>http://hardware.silicon.com/pdas/0,39024643,39165576,00.htm?r=1</a><br /><br /></div><i>"The vulnerabilities lie in Windows Mobile Internet Explorer and Windows Mobile Pictures and Video, Trend Micro said in a pair of security alerts. Viewing a rigged web page or malicious JPEG image file on a Windows Mobile device will cause it to fail, according to the security vendor. ...Trend Micro has told Microsoft about the problems and has not publicly shared the vulnerability details. Thiemann said: "The sky isn't falling. Nobody out there is aware of this." The company doesn't expect any imminent attacks exploiting the problems, he said."</i> <br /><br />Well, nobody out there was aware of the problem until you made this press release. :roll: Anyway, they sure make it sound a lot worse than it is. I'm sure it's just the first of a number of bugs that will be uncovered over time. Bugs are almost impossible to avoid. They're going to happen. Microsoft needs to work hard to ensure that any bug can't bring down the entire OS. I'm also thrilled to know that companies like Trend Micro have nothing better to do with their time and money except tear apart software looking for ways to scare people into buying their software. :?

Rocco Augusto
02-01-2007, 06:30 PM
i never understood companies like this. if this flaw wasn't a real "threat" and no one knew about it and they informed Microsoft of the bug... why oh why would you make a press release?!?!

stevew
02-01-2007, 10:54 PM
"Viewing a rigged web page or malicious JPEG image file on a Windows Mobile device will cause it to fail,"

Cause what to fail? If it's just the web page or image will fail to load correctly, so what.

If it causes the device to fail, how so?

davezack
02-02-2007, 02:23 PM
i never understood companies like this. if this flaw wasn't a real "threat" and no one knew about it and they informed Microsoft of the bug... why oh why would you make a press release?!?!

The reason is actually a valid one: Do you think Microsoft (or most other large corporations) are eager to invest the time and money into patch development to fix issues with already released products? Issuing a press release like this one gives the consumers just enough information to pressure Microsoft to release a patch without giving the specifics as to how to expoit the vulnerability. It's a way to add a little extra incentive for Microsoft to do the right thing and correct the problem *before* it is discovered by someone who intends to use it for malicious purposes.

As for Mike's post, I have to say that I'm disappointed to find those types of comments on this site - they read like a fanboy flame on Slashdot. Arguing that bugs and security vulnerabilities are a fact of life and that this somehow excuses Microsoft for their inadequate testing procedures and then turning the blame on Trend Micro for daring to look for flaws in the first place is ridiculous. Sure, Trend Micro is in the business to make money, but if you don't see the value in having companies proactively searching for vulnerabilities so they can notify Microsoft before "the bad guys" find it, then you really don't get it. There will always be flaws in software. And each time a flaw makes its way into a production application, the software vendor should be held accountable and use that as an opportunity to improve their testing procedures to make sure that type of flaw never slips through the cracks again. And since Microsoft isn't willing to invest the resources into looking for problems in their own software, that leaves a gap that companies like Trend Micro, Symantec, McAfee and others need to step into and help provide an added layer of security between the good guys and the bad. Trend Micro didn't create the software vulnerability - Microsoft did. And nowhere in their press release did TM overexaggerate the risk to try and boost software sales - in fact, they very clearly stated that "the sky isn't falling" and that they don't expect anyone to immediately exploit the vulnerability.

And no, I don't work for Trend Micro or any other anti-virus vendor. I just happen to have over 15 years in computer security and software development and couldn't let this post slide by without comment.

dz

Mike Temporale
02-02-2007, 08:43 PM
Arguing that bugs and security vulnerabilities are a fact of life and that this somehow excuses Microsoft for their inadequate testing procedures and then turning the blame on Trend Micro for daring to look for flaws in the first place is ridiculous.

Slow down and take a breath Dave. That's not what I said at all. I said that bugs are a fact of life. If you've been developing that long then you should know that. No application can ever be 100% bug free from the start. At least not now. Maybe in 10 years or so.

At no point did I say that was an excuse for Microsoft's inadequate testing. In fact I said that Microsoft needs to work hard to ensure that any bug can't cripple the entire OS. This is called good design - making sure that a bug doesn't bring the whole world to a standstill is an effective way to manage bugs. Which we talked about in above, are going to happen. I'm not saying that they are free to code poorly as long as the bug is limited in the damage it does. I'm saying they need to write effective error traps to help prevent bugs from destroying the world.

And finally, I don't think I blamed TrendMicro for anything. I find their motives questionable. But hey, fear sells and I guess I can't blame them for trying to sell their app. :wink:

Janak Parekh
02-03-2007, 06:15 AM
I said that bugs are a fact of life. If you've been developing that long then you should know that. No application can ever be 100% bug free from the start. At least not now. Maybe in 10 years or so.
That's true, but certain classes of bugs should not exist today. A particular peeve of mine: there should not be any buffer overflows in software today. There simply isn't any excuse, period. (That said, I have no idea if these flaws in particular are buffer overflows. But the fact that new vulnerabilities keep on getting announced on multiple platforms with buffer overflows... sigh.)

Anyway, I've gotta agree with davezack. Where have the exploits been posted? The article talks in the most general of ways. Moreover, I don't see a PR on Trend Micro's site. Nor is the article hawking the particular product used to defend the mobile device. Is Trend Micro purely altruistic? Of course not. But I see absolutely nothing wrong with this article.

--janak