OSNews: http://www.osnews.com/story/25424/Security_Flaw_In_Windows_Phone_Signs_of_Things_to_Come_ Exploring the Future of Computing en-us Copyright 2001-2013, David Adams adam+nospam@osnews.com Mon, 20 May 2013 20:42:44 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com These attacks are rare for a reason. http://www.osnews.com/thread?500100 http://www.osnews.com/thread?500100 I'm not worried about it. Because of the huge variety of platforms, malware on cell phones is difficult to spread. Exploits for one phone won't work on most other phones (unlike the days when connecting pre-SP2 XP without a firewall directly to the internet resulted in an infection in 30 seconds. Practically everybody had XP)
These external attacks on cell phones are relatively rare, and their surface area for attack is much, much smaller than, say, a desktop computer.

Because of the diversity of platforms, cracking each OS becomes less valuable, as the exploits can reach a smaller number of people. I don't expect we'll see quite the homogenization of platforms in the phone world that we saw in on the desktop. I think it'll stay diverse, much like the console market. Wed, 14 Dec 2011 16:46:00 GMT donotreply@osnews.com (Drumhellar) Comments RE: These attacks are rare for a reason. http://www.osnews.com/thread?500101 http://www.osnews.com/thread?500101
Because of the huge variety of platforms


Yeah, we have like iOS, Android and BB. And maybe Windows in the future, if it catches on. Huuuuge variety. Wed, 14 Dec 2011 16:51:00 GMT donotreply@osnews.com (jal_) Comments Happened before http://www.osnews.com/thread?500102 http://www.osnews.com/thread?500102 About 10 years ago I've seen a similar bug in Siemens phones (S35, C35, A45 and some many others). These phones had additional smileys which were inserted with a special code, something like "%15%".
A specially crafted smiley code could make the phone enter an endless loop while processing the code and the only option to stop it was removing the battery: http://forum.gsmhosting.com/vbb/archive/t-62174.html
The phones only crashed when displaying the message, so the problem was solved by inserting the SIM card in another (non-Siemens) phone and deleting the offending message, deleting the message via IRDA or a PC connection cable or simply not opening it.

My bet is that Windows Phone has problems with displaying or processing malformed Unicode text. Wed, 14 Dec 2011 17:05:00 GMT donotreply@osnews.com (Zlogic) Comments every bit of software has flaws http://www.osnews.com/thread?500105 http://www.osnews.com/thread?500105 The question should not be if it's bad that Windows Phone has a flaw. The question should be how soon will Microsoft have a patch available and how quickly will that patch be applied to phones. Wed, 14 Dec 2011 18:27:00 GMT donotreply@osnews.com (jabbotts) Comments How long until it's fixed? http://www.osnews.com/thread?500109 http://www.osnews.com/thread?500109 One of the complicating factors with deploying a fix for this vulnerability is that it has to go through "mobile operator certification" before it's pushed out to any phones. If the original Windows Phone 7 patches and 7.5 upgrade are any indication, it could be awhile before the carriers push out a fix -- no matter how quickly Microsoft might have one available. Wed, 14 Dec 2011 19:04:00 GMT donotreply@osnews.com (Redmond.Geek) Comments Chicken Little says... http://www.osnews.com/thread?500113 http://www.osnews.com/thread?500113 ...the sky is falling. Wed, 14 Dec 2011 20:00:00 GMT donotreply@osnews.com (Tuishimi) Comments RE: Chicken Little says... http://www.osnews.com/thread?500121 http://www.osnews.com/thread?500121 Good point. It is a two-factor insecurity: You have to have the phone number to send the exploit to and there has to be a wPhone on the receiving end of the payload.

So even if the sky does fall, i.e. this specially crafted SMS message gets sent to every phone on the planet, there will only be about 4 or 5 million handsets affected. And that's only if all of them have SMS enabled, are powered on and are within range of a tower before the message expires.

On the other hand if it happens to you/me it is a 100% bad thing. (o;) (It can't happen to me though. I'm on Virgin Mobile ; there are no wPhones available from them.)

Hope it doesn't happen to you (if applicable.) Wed, 14 Dec 2011 21:48:00 GMT donotreply@osnews.com (glarepate) Comments RE: Happened before http://www.osnews.com/thread?500122 http://www.osnews.com/thread?500122 You're probably right on it being malformed unicode... unicode has the wonderful advantage of massive language support; but the drawback of being too blasted complex for it's own good.

Part of why I still say we should force the whole world to live with the 7 bit ASCII set ;) Wed, 14 Dec 2011 21:52:00 GMT donotreply@osnews.com (deathshadow) Comments Flaws Exists but Exploiting them will be harder http://www.osnews.com/thread?500125 http://www.osnews.com/thread?500125 I recently read an article in the IEEE Megazine (http://www.infoq.com/articles/mobile-attacks-and-defense) about how the SMS messaging is basically the best point to find a flaw. The article talks only about iOS and Android because every other application Sandboxes. This means that the hackers have to find two flaws. So the easiest way is to attack the SMS and GSM to gain control. It also talks about how they will use DEP and ASLR to help prevent the attacks. So hackers will be able to find flaws the problem is that they won't really be able to exploit them due to the vulnerabilities. I guess my point was that the flaws will exists but the probably of actually making a huge impact like we see on PC is low.Edited 2011-12-14 22:33 UTC Wed, 14 Dec 2011 22:32:00 GMT donotreply@osnews.com (DarrkAssassin) Comments RE: These attacks are rare for a reason. http://www.osnews.com/thread?500129 http://www.osnews.com/thread?500129 On other phones - yep, don't work. But it works in Visual Studio, Blend "and others"

https://twitter.com/#!/KSalameh/status/146577133899227137

It really is interesting - what's the string and why the hell it crashes MS stuff. ;) Wed, 14 Dec 2011 23:26:00 GMT donotreply@osnews.com (Wafflez) Comments Telcos http://www.osnews.com/thread?500132 http://www.osnews.com/thread?500132 I'm sure the mobile carriers will filter the offending part before it reaches any phone.Edited 2011-12-15 00:20 UTC Thu, 15 Dec 2011 00:19:00 GMT donotreply@osnews.com (sbenitezb) Comments RE[2]: These attacks are rare for a reason. http://www.osnews.com/thread?500135 http://www.osnews.com/thread?500135 Not all phones are run Android, BB, iOS, or WinPhone. Not all phones are smart phones. If you take into account the vast variety of feature phones (there is no reason not to), yes, there is a huge variety of platforms. Most people don't have $200 to spend on a smart phone. Hell, most people don't have $100, or are unwilling to spend that much, on a smart phone. Thu, 15 Dec 2011 01:42:00 GMT donotreply@osnews.com (Drumhellar) Comments It's said this is just a bug, not a "security flaw". http://www.osnews.com/thread?500139 http://www.osnews.com/thread?500139 Maybe that's spin, but there's no evidence to say it's a "security flaw" rather than just a bug. Thu, 15 Dec 2011 03:13:00 GMT donotreply@osnews.com (MollyC) Comments Old phones didn't reboot. http://www.osnews.com/thread?500147 http://www.osnews.com/thread?500147
Back when people used to only use their phones to call and text, you'd perhaps think that having your phone reboot on you would be no big deal. But these days I find myself often as not composing some important missive.

No, back in the days I used my phone to call, had my phone rebooted on me, it would have been a big deal. I've used a Nokia 3310 for almost 10 years and never saw a crash, a reboot or something that remotely look like a bug, not once.
Nowadays, I expect my phone to have bugs, to crash and to have to reboot it. The battery is dead so often that it doesn't really matter, I just expect my phone not to work every now and then.
The phones are not as reliable as they used to be and that has some positive effects. I'm learning to live without it again. This week I've spent a full day without a phone (battery was dead and charger was at home). This was actually a very pleasant day, like in the old times. Thu, 15 Dec 2011 07:19:00 GMT donotreply@osnews.com (spiderman) Comments RE[3]: These attacks are rare for a reason. http://www.osnews.com/thread?500156 http://www.osnews.com/thread?500156 It was rather clear from the title alone ("Signs of Things to Come?") that the author specifically meant smart phones. Also, already 40% of US mobile phone owners own a smartphone, and amongst youth (15-24) it's even 67%. Western Europe has about the same rates (just Google around for "smartphone penetration" etc.), and let's not forget Japan and China. We're talking about a huge market share, and 100s of millions of smartphones. So I'm really lost why you try to trivialize this potential malware problem. Thu, 15 Dec 2011 11:45:00 GMT donotreply@osnews.com (jal_) Comments RE[4]: These attacks are rare for a reason. http://www.osnews.com/thread?500165 http://www.osnews.com/thread?500165
So I'm really lost why you try to trivialize this potential malware problem.


Maybe because it only affects one of the smallest niches in either feature or smart phones.

And you have to know that the phone you are sending the attack message to is a wPhone. It doesn't work on 98% of all smartphones and 100% of all other phones. More than enough reason to trivialize it IMO. Thu, 15 Dec 2011 14:12:00 GMT donotreply@osnews.com (glarepate) Comments RE: every bit of software has flaws http://www.osnews.com/thread?500166 http://www.osnews.com/thread?500166
The question should be how soon will Microsoft have a patch available and how quickly will that patch be applied to phones.


And how soon after it is available will the patch get rolled out and how long after that before a new way to trigger the underlying flaw (that also exists in Visual Studio and other products) will be triggered by a new mechanism. Thu, 15 Dec 2011 14:19:00 GMT donotreply@osnews.com (glarepate) Comments RE: Telcos http://www.osnews.com/thread?500168 http://www.osnews.com/thread?500168
I'm sure the mobile carriers will filter the offending part before it reaches any phone.


That should make them eager to sell more wPhones: The smallest segment of the smartphone OS market requires them to filter all SMS messges. And will come with Skype soon. Carriers love Skype! Thu, 15 Dec 2011 14:23:00 GMT donotreply@osnews.com (glarepate) Comments RE[2]: every bit of software has flaws http://www.osnews.com/thread?500171 http://www.osnews.com/thread?500171

And how soon after it is available will the patch get rolled out


That would be the "how quickly it is applied to phones" part. I'd agree that patch quality is indeed a factory though; does it correct the root cause or just plaster over it. Thu, 15 Dec 2011 15:08:00 GMT donotreply@osnews.com (jabbotts) Comments RE[3]: every bit of software has flaws http://www.osnews.com/thread?500203 http://www.osnews.com/thread?500203
That would be the "how quickly it is applied to phones" part.


Yup. Sorry about that. Too much caffeine, not enough sleep. |;^\ Thu, 15 Dec 2011 19:00:00 GMT donotreply@osnews.com (glarepate) Comments RE[2]: Chicken Little says... http://www.osnews.com/thread?500213 http://www.osnews.com/thread?500213
And that's only if all of them have SMS enabled, are powered on and are within range of a tower before the message expires.


If you don't power on and connect to the network before the SMS expires you essentially have no phone anyway. ;) It's not a typical scenario for any of the phone owners that I know of anyway. Thu, 15 Dec 2011 19:40:00 GMT donotreply@osnews.com (japh) Comments Amazing http://www.osnews.com/thread?500218 http://www.osnews.com/thread?500218 A serious flaw was found in a rather new piece of software from Microsoft.

Stop the presses! Thu, 15 Dec 2011 19:53:00 GMT donotreply@osnews.com (Lava_Croft) Comments RE[5]: These attacks are rare for a reason. http://www.osnews.com/thread?500221 http://www.osnews.com/thread?500221 It's not trivial to me, a WP7 user. Don't be the asshole who assumes just because YOU aren't affected, that no one else will be. Thu, 15 Dec 2011 19:59:00 GMT donotreply@osnews.com (Morgan) Comments RE[6]: These attacks are rare for a reason. http://www.osnews.com/thread?500258 http://www.osnews.com/thread?500258 On the other hand you are 100% of you. So it's OK to feel bad if you chose something that took advantage of your particular character traits even if only a scant few million out of 7 billion will suffer for having those characteristics. You can even call it my fault.

Yeah, that'll fix things. (o;)

Do you also use Visual Studio? Because the same text string can crash that too. How about Blend? Silverlight? WPF?

http://www.xda-developers.com/windows_phone/bug-crashes-wp7-messagi...

~~~
Bug Crashes WP7 Messaging Hub (And More) Via Text

December 15, 2011 By: Livven
Bug Crashes WP7 Messaging Hub (And More) Via Text

On Monday, a reader of WinRumors.com discovered a pretty nasty bug in Windows Phone 7′s messaging hub: upon receiving a special text, either through SMS, Facebook chat or Windows Live Messenger, the device will automatically reboot, and the messaging hub cannot be opened anymore. Only a hard reset will fix this. For a demonstration, watch this video.

http://www.youtube.com/watch?v=vnhzuKcDo6A

Shortly thereafter, Microsoft acknowledged the bug and said it is looking to “take appropriate action to help ensure customers are protected”. Meanwhile, Khaled Salameh, who originally discovered it, has investigated this issue further and found that it applies to lots of other Microsoft applications as well â€" including Windows Live Messenger, Visual Studio and other desktop software utilizing Silverlight or WPF.

However, rest assured since the special text causing this bug hasn’t been made public, and it isn’t in any way security-related.
~~~

Surely there was no way to anticipate that an M$ product would be negatively impacted by the attempt to process a string of text!

Oh, wait ...

You might consider wearing a bullseye mask.

But since it's my fault I will simply forbid you from doing so.

Now: Sell or throw away your phone. Immediately!

Problem solved. (; Fri, 16 Dec 2011 06:01:00 GMT donotreply@osnews.com (glarepate) Comments RE[3]: Chicken Little says... http://www.osnews.com/thread?500262 http://www.osnews.com/thread?500262
If you don't power on and connect to the network before the SMS expires you essentially have no phone anyway.


Yeah, it would be better to have a phone but with no SMS. Or to have an iPod Touch with a SIP client app.

It's not a typical scenario for any of the phone owners that I know of anyway.


Less typical than getting a text, having your phone die and then being unable to get a text after rebooting? There have been times when I wished I couldn't get an SMS and even more so an MMS, but I have changed carriers twice since then. (o;) Fri, 16 Dec 2011 06:56:00 GMT donotreply@osnews.com (glarepate) Comments RE[5]: These attacks are rare for a reason. http://www.osnews.com/thread?500282 http://www.osnews.com/thread?500282
It doesn't work on 98% of all smartphones and 100% of all other phones. More than enough reason to trivialize it IMO.


As the article says, "similar attacks have already been dealt with on iOS and Android." Unless I'm mistaken the author's intent wasn't "OMG Windows Phone isn't safe!", which shouldn't surprise anybody, but more like "Are we going to see more attacks on smartphones in the future?", which is imho a very good question (albeit not an original one, of course). Fri, 16 Dec 2011 09:28:00 GMT donotreply@osnews.com (jal_) Comments RE[7]: These attacks are rare for a reason. http://www.osnews.com/thread?500287 http://www.osnews.com/thread?500287
On the other hand you are 100% of you. So it's OK to feel bad if you chose something that took advantage of your particular character traits even if only a scant few million out of 7 billion will suffer for having those characteristics. You can even call it my fault.


What the hell does that even mean? I don't feel bad for choosing this phone, in fact it's the best smartphone I've owned since 2006. I'm following the same maxim I always do: The right tool for the job. Android is fine for tablets (I love it on my Nook Color) but it's not stable enough for phone use in my experience. BlackBerry is nice and stable (and secure) but behind the times. iOS is cute and flashy but it's just not quite there for my needs. WP7 is a breath of fresh air and so far has met and/or exceeded all my expectations.

Do you also use Visual Studio? Because the same text string can crash that too. How about Blend? Silverlight? WPF?


Nope, Windows is not my current main OS at home, and I don't use any of those apps at work either.


Surely there was no way to anticipate that an M$ product would be negatively impacted by the attempt to process a string of text!

Oh, wait ...

You might consider wearing a bullseye mask.


And you trot out the usual anti-Microsoft spiel, complete with a troll badge of honor ("M$"). Look, I'm no fan of the company myself, but lately their non-PC stuff has been pretty good (Xbox 360, WP7). Don't act as if this kind of thing ONLY happens to Microsoft, it makes you look quite the fool. You forget that OS X was the first to fall in Pwn2Own two years in a row.


But since it's my fault I will simply forbid you from doing so.


Twice now you have claimed that I somehow blame you for something. How childish and passive-aggressive of you! But hey, it must be all about you right?

Now: Sell or throw away your phone. Immediately!

Problem solved. (;


No thanks, I really like the phone. And I stand by my original statement (which you conveniently never addressed): Don't be the dick who assumes that just because YOU don't own a WP7 phone that this issue is inconsequential and not worth doing anything about. Because, next time it just might be your "superior" phone OS that is targeted. But don't worry, I won't trivialize it when that inevitably happens; my ego needs no stroking. Fri, 16 Dec 2011 11:13:00 GMT donotreply@osnews.com (Morgan) Comments RE[8]: These attacks are rare for a reason. http://www.osnews.com/thread?500336 http://www.osnews.com/thread?500336
I don't feel bad for choosing this phone, in fact it's the best smartphone I've owned since 2006.


And given that the text string that causes this failure may never be released to the public there is every chance that this bug may never hit your phone.

Will I still be an asshole if nothing bad happens to you? Even though it could? (o;)

But hey, it must be all about you right?


Yup. 'Cause I didn't care if you got bit by a bug that may never exist in the wild.

But don't worry, I won't trivialize it when that inevitably happens;...


Why would I worry about that? Even if it really did happen in spite of your thoughtfulness and consideration for me (or whoever).

Actually it's perfectly OK if you do. You are entitled to think and say whatever you want. The restrictions on those things only apply to me, remember? Because I'm baaaaaaad. Somehow. Fri, 16 Dec 2011 19:20:00 GMT donotreply@osnews.com (glarepate) Comments RE[9]: These attacks are rare for a reason. http://www.osnews.com/thread?500337 http://www.osnews.com/thread?500337
Yup. 'Cause I didn't care if you got bit by a bug that may never exist in the wild.


No, it was quite obvious in your original post that you were trying to speak for the rest of the world by saying it was a trivial issue that wasn't newsworthy because you say so. I felt otherwise and said as much, and you went apeshit and tried to make it personal.


Actually it's perfectly OK if you do. You are entitled to think and say whatever you want. The restrictions on those things only apply to me, remember? Because I'm baaaaaaad. Somehow.


Hey bud, I just replied in kind when you went off on an arcane tangent. Believe me, it's not personal. I'm just a sucker and an easy target for Internet trolls.

Though I must say, I have not before run into the kind of extreme passive-aggressiveness you have displayed here, putting deprecating words into my mouth constantly and trying to make it appear as if I'm running ad hominem attacks on you. Stay classy, my friend. Fri, 16 Dec 2011 19:28:00 GMT donotreply@osnews.com (Morgan) Comments RE[2]: These attacks are rare for a reason. http://www.osnews.com/thread?500902 http://www.osnews.com/thread?500902
Yeah, we have like iOS, Android and BB. And maybe Windows in the future, if it catches on. Huuuuge variety.

Oh, you just forgot about the biggest, by far, installed base of Symbian... (still at the top of web stats http://gs.statcounter.com/#mobile_os-ww-monthly-200903-201112 despite its users being most likely less "online active" than iOS or Android ones; even curiously increasing recently somewhat*) ...supposedly dying, yes, but a) it shouldn't matter that much as far as present target vectors go b) in some parts of the world (Africa and Asia, look at their mobile OS stats) it might, in the end, not die after all (it does finally improve, and *^)
Plus, supposedly, at least largish part of its user base should be converted to WinPhone, so that gives us 5.

More, really. You "specifically" count very few platforms as smartphones, relegating rest to feature phone category which doesn't matter or smth ...but, really, S40 (oh, only the most widespread mobile phone platform on the planet; and BTW, S40 is not Symbian) is more of a "smartphone" than iPhone in its first year, and used such by people - browsing, music, apps, etc.
And it's not the only such platform Wed, 21 Dec 2011 23:32:00 GMT donotreply@osnews.com (zima) Comments