Friday, August 12, 2005

New Activesync flaws

It really pays out to read bugtraq! These vulnerabilities just were discovered in ActiveSync for PocketPC's:

7. Microsoft ActiveSync Network Synchronization Multiple Vulnerabilities
BugTraq ID: 14457
Remote: Yes
Date Published: 2005-08-02
Relevant URL: http://www.securityfocus.com/bid/14457
Summary:
Several specific issues have been identified with the network synchronization protocol used by Microsoft ActiveSync.

The first issue is the use of cleartext communications for all network traffic.

The second issue is the lack of password authentication.

The third issue is an information disclosure issue when attempting to initiate network synchronization.

The last issue is a denial of service vulnerability.

These issues combine to allow remote attackers to gain access to potentially sensitive information, aiding them in further attacks. Attackers may also alter or destroy data by simulating the synchronization protocol, or crash the ActiveSync service.

Doesnt look too safe. An attacker can:

  • Steal the data on your PocketPC
  • Crash the ActiveSync server

Not something I'd want to happen on my machine! Do you like Network Hotsync?