Microsoft: Security fix due for phone OS

The company plans to update its Smartphone 2002 operating system to fix flaws that make it possible to send rogue software programs to phones that use the OS.

Ben Charny Staff Writer, CNET News.com
Ben Charny
covers Net telephony and the cellular industry.
Ben Charny
2 min read
Microsoft plans to update its Smartphone 2002 operating system to fix security flaws that make it possible to send rogue software programs to phones that use the OS, a representative said Friday.

The Microsoft representative did not provide a specific release date for the update, but Stuart Jackson, a representative for U.K. carrier Orange, which sells the affected phone, said the updated software is expected in about two weeks.

So far there have been no reports of phones being infiltrated by unauthorized software. Orange's SPV is currently the only phone using the Smartphone 2002 operating system.

There is growing evidence from both Orange and the developer community that software developers looking to create legitimate programs for the SPV discovered the gaps and began exploiting them.

Orange still hasn't made available to developers SPV phones that have been "unlocked," meaning phones that can run software that hasn't been certified by Orange, software developer Damian Hack said Friday in an e-mail to CNET News.com.

But how else, Hack asked, can developers test the software they've created before submitting it to Orange, which then certifies it for use on its network. Hack wrote that he and other developers, frustrated by Orange's pace, took matters into their own hands.

"The Orange SPV has not been 'hacked'," Hack wrote. "The (security measure) has, rather, been legally circumvented by exploiting existing bugs in the bundled software and operating system. This circumvention allows developers to test their applications on their own SPV prior to going through the Orange certification process. This is surely a necessity in any robust and quality-assured development scheme."

Orange's Jackson said Friday that the company would make "unlocked" phones available to developers sometime next month.

The possibility of rogue software flooding through cell phone networks is among the worst fears carriers have, said Alan Reiter, an analyst with consulting company Wireless Internet & Mobile Computing. Cell phone networks became vulnerable to such attacks when carriers began selling phones that can download software and games, ring tones and business tools, he said.

But Hack explained that the two methods of avoiding the phone's security will not turn the world's 1.2 billion cell phones into a breeding ground for crippling viruses. The gaps developers discovered still do not let them commandeer the phone's radio, the only way to dispatch a virus to other phones, Hack said.

"Mobile developers are generally responsible people, which is evidenced by the lack of viruses on the Orange network to date," Hack wrote.

Microsoft had no further comment on the flaws.