Windows Mobile flaws could crash phones

Security firm has uncovered two bugs that, if exploited, could crash phones and other devices running Microsoft's Windows Mobile software.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
A security firm has found a pair of security bugs in Microsoft's Windows Mobile which, if exploited, could crash phones and other devices running the software.

The vulnerabilities lie in Windows Mobile Internet Explorer and Windows Mobile Pictures and Video, Trend Micro, a Tokyo-based security vendor, said in a pair of security alerts. Viewing a rigged Web page or malicious JPEG image file on a Windows Mobile device will cause it to fail, according to Trend Micro.

"Both of these vulnerabilities are potential denial-of-service factors," Todd Thiemann, director of device security marketing at Trend Micro, said in an interview Tuesday. "What we're seeing over time is an uptick in the threats against smart phones, particularly those running Symbian and Windows Mobile."

Trend Micro has told Microsoft about the problems and has not publicly shared the vulnerability details. "The sky isn't falling. Nobody out there is aware of this," Thiemann said. The company doesn't expect any imminent attacks exploiting the problems, he said.

Microsoft is aware of the issues and is investigating them, a company representative said Wednesday. If needed, the software maker will provide an update to hardware makers for distribution to people who use the Windows Mobile devices, it said. The problems affect Windows Mobile 2003 and Windows Mobile 5.0, according to Trend Micro.

While the number of threats to phones today is low, security experts and analysts agree that situation is likely to change with the advent of smart phones running common operating systems. Security companies, including Trend Micro, are hawking software to shield phones against possible attacks.

Another Word zero-day bug
In addition to the Windows Mobile issues, Microsoft is also investigating a report of yet another vulnerability in Word. Symantec and the French Security Incident Response Team, or FrSirt, say they have spotted a fifth zero-day flaw in the word-processing application. Microsoft, however, says the problem was previously known.

"Microsoft's initial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue," the Microsoft representative said.

The newest problem allows an attacker to hijack systems running Word 2003, Symantec said in an alert Tuesday. The company has advised people to make sure their security software is up to date and urges caution when opening Word documents.