<a href="http://www.securityfocus.com/bid/7150/discussion/">http://www.securityfocus.com/bid/7150/discussion/</a><br /><br />"A problem with ActiveSync could make it possible for remote users to trigger a denial of service. It has been reported that under some circumstances, the ActiveSync wcescomm service can be forced to crash. Due to improper handling of some requests, the wcescomm process becomes unstable. This can result in the process crashing, requiring a manual restart to resume service."<br /><br />As if AS needed help crashing. ;) <a href="http://www.securityfocus.com/archive/1/315901">Gory details here</a>.<br /><br /><!> Could be worse. Anyone get a copy of "Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)" in their email today? I loved this line:<br /><div class="quote"> <span class="quote">Quote:</span> <span>Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability.</span> </div><br /> :lol:

Isn't that special? What's next? Any word on this applying to AS 3.6?

I guess we don't need to start another "AS sucks" thread, but this sure does make one think about that.

....like I needed more reasons to hate this software! :devilboy:

&lt;shrug> If you don't have a firewall on your PC, someone crashing ActiveSync is the LEAST of your worries. :roll:

&lt;shrug> If you don't have a firewall on your PC, someone crashing ActiveSync is the LEAST of your worries. :roll:
Not necessarily true. My research machine doesn't have a firewall - it would mess with a lot of my work, and I've never gotten hacked - it's just locked down properly. The AS problem is quite an annoying situation, but can't you turn off ActiveSync-over-network to solve the problem? Anyone know?

(Update: no, a "netstat -na" still shows ActiveSync running port 5679 even when the Sync over Network option is running. Aargh. I'll have to firewall that single port if MS doesn't patch it. :evil:)

--janak

Is anyone really surprised about another Microsoft security leak? :roll:

Just for fun: disconnect your Pocket PC, keep your ActiveSync window open, and try telnetting to 127.0.0.1 (localhost), port 5679.

It's obvious that ActiveSync is evolved from older (friendlier) days, so this DoS vulnerability is not all that surprising to me. A lot of older code wasn't really designed to be Internet-safe, like the old WinCE Services stuff, a lot of which is still in AS.

Let's just hope MS releases 3.7 soon. :)

--janak

Let's just hope MS releases 3.7 soon. :)


3.7? They should do a major re-write and start from scratch. In fact, it shouldn't even bear the former name... Who wants memories of AS?

I therefore submit this new name to MS: "Working Sync v1.0". Hopefully MS can develop something that might live up to it's name!

Joe...

Let's just hope MS releases 3.7 soon. :)

--janak

Janak- are you using AS 3.6 or 3.5? If 3.6, does this errata apply?

&lt;shrug> If you don't have a firewall on your PC, someone crashing ActiveSync is the LEAST of your worries. :roll:

How many business PC's have firewalls on them? Most depend on firewalls on the outskirt of the LAN/WAN where they access the internet. How many computers are out there in the enterprise environment that have activestink installed without a firewall?

This software is @$$. Active Stink Sucks.

Welcome to trustworthy computing. :|

3.7? They should do a major re-write and start from scratch. In fact, it shouldn't even bear the former name... Who wants memories of AS?
True. However, I'd at least like obvious vulnerabilties fixed.

Brian - I don't know if this applies to 3.6. My guess is yes, but I'd love to be wrong.

--janak

....you mean someone has discovered a way to make wscecomm crash and stop running? So it won't be running when I don't have my PPC hooked up? And it might keep it from auto starting, too? :lol:

Where do I download this amazing program?

Karen

Stop crying to Bill for more security darnit!

"My followers, I have heeded your pleas. Witness our new [b]secure DRM system for all future software!" (whistles innocently)

Hmmm...

Correct me if I'm wrong. What we are talking about here is not using your PC in a DoS attack against another machine. Just crashing ActiveSync, thereby causing a "denial of service" from your PC to your Pocket PC...

Steve

....you mean someone has discovered a way to make wscecomm crash and stop running? So it won't be running when I don't have my PPC hooked up? And it might keep it from auto starting, too? :lol:

Where do I download this amazing program?

Karen

Use ActiveSync Toggle (http://www.micrologics.co.uk/library/ast/), it REALLY comes in handy...

Steve

Correct me if I'm wrong. What we are talking about here is not using your PC in a DoS attack against another machine. Just crashing ActiveSync, thereby causing a "denial of service" from your PC to your Pocket PC...
Mostly correct -- however, the point is this program can be targeted at a remote machine and can crash its ActiveSync process if port 5679 is open.

Where do I download this amazing program?
That's right... it's not a bug, it's a feature! :lol:

Stop crying to Bill for more security darnit!
Nah, we're crying to Bill to fix the bugs. Big difference. ;)

--janak

Mostly correct -- however, the point is this program can be targeted at a remote machine and can crash its ActiveSync process if port 5679 is open.

If someone is probing my machines for open ports, I doubt they are doing it so they can crash ActiveSync. It really doesn't seem to me like this is a very serious vulnerability IMHO...

I'd at least like obvious vulnerabilities fixed.

This flaw wasn't very obvious. AS has been out for a while, this is the first we are hearing of this...

Steve

Use ActiveSync Toggle (http://www.micrologics.co.uk/library/ast/), it REALLY comes in handy...
Most of the times I've tried ActiveSync Toggle, it didn't work. I'd have WCESMgr.exe lock up, and ActiveSync Toggle would just say it couldn't shut down ActiveSync. :-(

Steve

Just for fun: disconnect your Pocket PC, keep your ActiveSync window open, and try telnetting to 127.0.0.1 (localhost), port 5679.


And conversely, if you block port 5679 in your firewall, nothing can get through to exploit the problem.

and hackers of the world put on big grins gloating over the fact tiny PPC can bring down a big desktop.

duh... (hey at least the Dept. of Homeland Security hasn't declared activeSync as terrorist tool)

Active sync has received such a bad rep. It might as well be rewritten and renamed. And true to Microsoft tradition, any products with version 3.x tag or under fifth major market release containing the word: wizard, active, auto and smart., will give you instant DoS vulnarability.

I propose either renaming it Active Sync Xp or
pocket Lizard-non active- non auto- Dumb Sync to ward of the bed spell. :D (tho' 90% of the feature for pLinanaD are already in place so at least this doens't need code rewrite, just marketing pamphlet.)

Hmmm...

Correct me if I'm wrong. What we are talking about here is not using your PC in a DoS attack against another machine. Just crashing ActiveSync, thereby causing a "denial of service" from your PC to your Pocket PC...

Steve

well if you can make a machine crash and hopefully reboot, that's half the introductory chapter to hacking.

Mostly correct -- however, the point is this program can be targeted at a remote machine and can crash its ActiveSync process if port 5679 is open.

If someone is probing my machines for open ports, I doubt they are doing it so they can crash ActiveSync. It really doesn't seem to me like this is a very serious vulnerability IMHO...
I agree, but someone in an internal LAN of a large company could wreak havoc with this. Now all the smart sysadmins know of this vunerability and can detect it, because we know all the smart sysadmins read Pocket PC Thoughts, right? :lol:
I'd at least like obvious vulnerabilities fixed.

This flaw wasn't very obvious. AS has been out for a while, this is the first we are hearing of this...
The SQL 2000 slammer vunerability was there since SQL 2000 was released and detected in 2002 and abused in 2003. Other vunerabilities can lay dormant for years. In my post I joked about the one MS sent out today that NT4, 2000 and XP all share. NT4 has been out since 1996. For all I know, the vunerability exists in NT3.x too but MS no longer tracks that OS.

Honestly I don't expect AS 3.5/6 to be fixed per se. I just hope MS fixes it in 3.7 or whatever the next release is.

I therefore submit this new name to MS: "Working Sync v1.0". Hopefully MS can develop something that might live up to it's name!

Joe...

Not 1.0. No Microsoft product is ever right with 1.0. Who remembers Windows 1.0? We need AS 5.0.

The SQL 2000 slammer vunerability was there since SQL 2000 was released and detected in 2002 and abused in 2003. Other vunerabilities can lay dormant for years.
Right. I mean, it's obvious now. :)

Honestly I don't expect AS 3.5/6 to be fixed per se. I just hope MS fixes it in 3.7 or whatever the next release is.
That's fine, as long as MS does it soon. I'd suspect that they know about it and are working on it, though; it shouldn't be that difficult to fix this vulnerability -- and besides, it's really time for a version of AS that can be downloaded with drivers for all the new Pocket PCs... unless they're waiting for a new OS to come out. :D

--janak

well if you can make a machine crash and hopefully reboot, that's half the introductory chapter to hacking.

But this doesn't crash the computer, just ActiveSync...

Steve

Seems that things are even more weird. Even if you've got 'remote sync' feature disabled in ActiveSync settings, your ActiveSync *still* listens to the incoming connections - just try disabling this remote sync and try telnetting to your PC on ActiveSync's port - you will see it trying to establish a connection. I don't know, however, if it will connect, since someone has told me that it will listen but won't answer.

Another really dangerous thing is that someone might get access to your desktop box knowing the UID of your Pocket PC and its partnership name - an attacker can simply pretend being a Pocket PC and connect to you desktop. If the UID and Partnership name are ok, ActiveSync will "synchronize" this fake PPC without asking anything :(

Is this why my AS is crashing every time I sync now?
Non-internet syncing is fine........ but whenever I go to sync Vindigo or Avantgo.......... it is crashing and is crashing my computer........ has been doing it for like 4 days now?
Any ideas?
Never had this happen before.........
I did just install that MS security patch........ could that be it?
Thanks in advance!