Jump to content

Orange / Microsoft Issue Security Patch

Guest The Futures Bright

By Guest The Futures Bright
in Smartphone General Discussion

 Share

Recommended Posts

Guest The Futures Bright

Guest The Futures Bright

Posted
Posted

:evil:

MICROSOFT AND MOBILE phone operator Orange are working to patch a security bug that affects the first mobile phone to use Microsoft's Windows Powered Smartphone software, Orange said Thursday.

The SPV phone, launched in October and sold by Orange in several European countries, can run downloadable applications. It was designed to only run certified applications, in order to protect customers against rogue code. However, details on how to disable this security feature have become public, allowing the installation of applications that have not been certified, Orange said in a statement Thursday.

Culprits are SPV users and software developers who were upset with the block on running third-party applications. They came up with a way to undo that protection and posted instructions in online discussion forums on software development for smart phones like the SPV.

Microsoft and Orange have investigated the issue and will provide a security update as soon as possible to solve it, Orange said. Users will be able to download this update through the Orange Update application on their SPV, the Paris mobile operator said.

The procedure to unlock a phone involves manually editing two files on the phone using a PC and the synchronization software, according to one set of instructions found online. Because changes have to be made directly on the phone to be able to bypass the security, Orange said it does not see the issue "as posing any risk to the security" of SPV users.

Orange calls on developers who want to create applications for the SPV to go through the certification process. The company will launch a Web site for SPV developers at the end of February, according to the statement.

The SPV runs Microsoft's Windows Powered Smartphone software and is a mobile phone with PDA (personal digital assistant) features. The software is based on Microsoft's Windows CE 3.0 operating system and includes a Web browser, e-mail and instant messaging clients, an address book and a media player.

Source (InfoWorld)

Guest Paul [MVP]

Guest Paul [MVP]

Posted
Posted
The company will launch a Web site for SPV developers at the end of February
THE END OF FEBRUARY?!? Are they taking the p**s or what!

Orange calls on developers who want to create applications for the SPV to go through the certification process

Nice idea, but how does the process work? How do I register as a developer and unlock my device for development?

The whole thing is a monumental cockup...

P

Guest spacemonkey

Guest spacemonkey

Posted
Posted

This is the best yet...

The same people who can't provide us with a bug fix update, wan't to update our phones now to fix this "security problem". In return this is what they offer us:

Orange calls on developers who want to create applications for the SPV to go through the certification process. The company will launch a Web site for SPV developers at the end of February, according to the statement.

They gunuinely think we'll all just go along with a promise of things being better in the future? Especially as that future cuts of non-businesses from development?

Guest Firaas

Guest Firaas

Posted
Posted

That's the last time I buy a Smartphone commissioned by Orange (he says)

Guest Paul [MVP]

Guest Paul [MVP]

Posted
Posted

What's the betting the patch just re-locks the phone, rather than fixing the bug that allows you to do it in the first place ;)

P

Guest NXNM

Guest NXNM

Posted
Posted

Even if they do, i dont think itll be long before some Star Trek fan creates a EPPROM Editor of some kind.

Guest spacemonkey

Guest spacemonkey

Posted
Posted

What's the betting the patch doesn't fix anything else

Guest MBoden

Guest MBoden

Posted
Posted

"Orange calls on developers who want to create applications for the SPV to go through the certification process. The company will launch a Web site for SPV developers at the end of February, according to the statement."

Oh yes, they are SO interested in software being created for the phone :-(

how on earth can they take 1½ month to do a website ???

Guest spacemonkey

Guest spacemonkey

Posted
Posted

End of Feb, I think you'll find that's 3 months from phone release. And since the phone won't have come as a surprise to Orange (they didn't just majically pop into existance in December) it's inexcussable that they didn't have a solid developer program from day one.

Guest MBoden

Guest MBoden

Posted
Posted

I thought that Microsoft and Orange checked this board, how can they claim we are trying to make viruses ? i just dont get it, i haven't seen anyone talk about making viruses/trojans/whatever , the majority likes/loves the phone and a lot of us just wants to create content for it, M$ and Orange should be thrilled !!

Guest arawak

Guest arawak

Posted
Posted

It's also ridiculous that it's taking so long to get an "update" for the current problems yet they can produce one so quickly for a so call "security issue". Typical bl**dy microsoft I hear you say :roll:

It's a shambles that when you ask a question to Orange they can take 72hours to answer it too. It's also a shambles that they promised the update by the end of 2002 and yet we are still waiting for it mid January 2003!

We are also still waiting on a new battery with improved life they also promised would be available by now! This is just the latest in a long list of errors they have made since the phones release. If the "update" and the problem I have with the awful tone when I call a line that is engaged aren't solved soon I am getting a replacement phone! Probably the XDA at the moment unless something better comes along soon ;)

Guest Kallisti

Guest Kallisti

Posted
Posted

FWIW, the patch will simply mean that they add their own customizations to the non-oem provxml files, and remove the coldinit system. I can only assume it was some bright spark in Orange's idea to create that system (which is basically a single API call to process xml config files). Hence, that release is particularly easy to do, doesn't even require MS to help out at all.

Guest cookan

Guest cookan

Posted
Posted

come on MS/Orange, this phone is in Beta test, you can't deny that.

protect the man on the street who just wants a neat phone and doesn't want to know how it works by telling him its in Beta test and only suitable for us geeks and concentrate your resource on fixing the bugs rather than preventing us form getting it to work ourselves.

Guest tom

Guest tom

Posted
Posted

Regarding viruses, would you go blabbing about it if you're were up to something naughty?

However, I am starting to fail to understand why phone viruses should be an issue. Surely there should be network security on Orange's end and sandboxing on the actual phone?

Guest arawak

Guest arawak

Posted
Posted
FWIW, the patch will simply mean that they add their own customizations to the non-oem provxml files, and remove the coldinit system.  I can only assume it was some bright spark in Orange's idea to create that system (which is basically a single API call to process xml config files).  Hence, that release is particularly easy to do, doesn't even require MS to help out at all.

This doesn't excuse the fact that Orange have been promising the "update" at the end of 2002. Not only that but to also make promises of a new battery and not deliver on that is not meeting customer expectations. It is basically casting a bad light over the SPV which is a decent phone even thought it is buggy. If you only have minor faults with it which you can live with until the update is released then you're probably on the whole relatively happy with it.

Certification aside I still think Orange should manage our expectations and provide the update when they say they will. To now say a "security" issue can be solved with an update very soon is poor to say the least. They should be looking after us not treating us the way they are at the moment over this.

Guest DJHope

Guest DJHope

Posted
Posted

I think its funny if you look at http://xda-developers.com/ O2 couldnt give a monkeys about the exstent of what people are doing to the XDAs.

I think that orange are just taking far too much advice from microsoft (i refuse to believe its all orange) and to be fair i cant balme microsoft for being so harsh about security especially with the press that terriorism is getting at the moment, and orange are taking this advice like lambs to the slaughter. This is purely my belief i could be completely wrong here, but the relationship between orange and microsoft right now seems extremely close.

I mean this is a company that operates in a country were they delay a film (Gangs of New York) because it could be too destressing to its inhabitance.

Maybe some take secuirty that one step to far, and our freedom will suffer!

DJ Hope

Guest davidhorn

Guest davidhorn

Posted
Posted

What I would like is an option to turn the setting on or off.

"Yes, I'm aware of the risks, please allow third party apps to install on my phone."

Notice the operative MY ;)

Guest DJHope

Guest DJHope

Posted
Posted

Surely their is a legal implication (to orange) of not allowing you to un-certify your phone when you have it unlocked effetively paying for the handset since you are now able to use it on other networks and you should not thus be governed by oranges security policy? Im sure o2 wont mind us running applications on their network since they keep advertising the XDA and i bet that has about 50,000 users, and its a more powerful handset.

DJ Hope

Guest MECX

Guest MECX

Posted
Posted

orange seem to have stoped all shipments of spvs untill they sort this 'problem'(!) out, this was told to me but avrmobiles.com and smalltalk.com----they said 'there are bugs with the spv and until microsoft/orange fix these we will not be getting anymore phones'.

they didnt seem to know when this would happen but one guy was 'hopeing' for next week.

maybe the update is nearly here??

:roll:

Guest DJHope

Guest DJHope

Posted
Posted

Well of course an update is imminent we have offended microsoft!

Guest dbcohen

Guest dbcohen

Posted
Posted

Actually, this is a real problem...

I've just returned my phone to Onestopphoneshop due to a hardware fault - and have then been told they don't have any stock for replacement and don't know when any more will be coming in.

I managed to find stock at Genie Telecom, so I've switched my order to them, but its not very good when existing customers can't get replacements because they've throttled back supply!

Guest DJHope

Guest DJHope

Posted
Posted

Thats quite right, if i had to send it back id probably quote about how its not fit for its purpose or something and try to get a different phone.

DJ Hope

Guest dbcohen

Guest dbcohen

Posted
Posted

Yes, but I didn't want a different type of phone.

Fact is, despite the bugs and faults, I love the SPV. I also think that its one of the best mobile products Microsoft has ever done, again, despite the bugs and faults.

And everyone who saw mine was blown away by it. So I am a big supporter, and am spreading the word. I am also in a position to recommend this sort of product to my clients, as I work in the IT/Telecoms convergence area.

And yet this policy (unsure if it's Microsoft, Orange or both) has caused me to delay getting a replacement, and I will be unhappy if I lose the certificate unlock.

That's the reality of what they are doing to their customers... dumb or what!

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept