Security Flaw Found in Smartphone Software

[Guest kernowmagic]

Security Flaw Found in Smartphone Software

Microsoft and Orange are working on a patch for a flaw that could allow rogue code to run on certain phones.

Joris Evers, IDG News Service

Thursday, January 16, 2003

Microsoft and mobile phone operator Orange are working to patch a security bug that affects the first mobile phone to use Microsoft's Windows Powered Smartphone software, Orange said Thursday.

The SPV phone, launched in October and sold by Orange in several European countries, can run downloadable applications. It was designed to only run certified applications, in order to protect customers against rogue code. However, details on how to disable this security feature have become public, allowing the installation of applications that have not been certified, Orange said in a statement Thursday.

Advertisement

Culprits are SPV users and software developers who were upset with the block on running third-party applications. They came up with a way to undo that protection and posted instructions in online discussion forums on software development for smart phones like the SPV.

Microsoft and Orange have investigated the issue and will provide a security update as soon as possible to solve it, Orange said. Users will be able to download this update through the Orange Update application on their SPV, the Paris mobile operator said.

Low Risk

The procedure to unlock a phone involves manually editing two files on the phone using a PC and the synchronization software, according to one set of instructions found online. Because changes have to be made directly on the phone to be able to bypass the security, Orange said it does not see the issue "as posing any risk to the security" of SPV users.

Orange calls on developers who want to create applications for the SPV to go through the certification process. The company will launch a Web site for SPV developers at the end of February, according to the statement.

http://www.pcworld.com/news/article/0,aid,...d,108834,00.asp

[Guest kernowmagic]

ha wonder who they are talking about eh? LOL

[Guest mcwarre]

I Love my SPV but only cos it is unlocked and I can use it for loads of stuff without having to increase the Orange Share Price by paying for BASIC programmes such as a file manager!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

[Guest lewis.curley]

End of Feb you say which year would that be then?

Come on Orange!!

[Guest Jeeves]

Orange have investigated the issue and will provide a security update as soon as possible to solve it

YESSSS!!!!!!!

I really hope they rush this out fast so that we can once again enjoy LOCKED SPVS!!!!!!!! :roll:

Seriously though, what is the point in providing an update to a 'problem' that only occurs if a user works hard to create it :?: This update would create more problems than it solves. At the moment the situation with regards to application signing is:

MoDaCo'ers = Happy because we can unlock our phones :)

Normal users = Not an issue because they don't want to unlock anyway :D

But after such an update:

MoDaCo'ers = F**kin p***ed off because we can only run apps which the brilliant people @ Orange think we should be allowed to run :x

Noraml users = Same as before because they did'nt want to unlock :(

Overall a loss. (Note that sad represents the boring traditional business man :wink: )

Now their reasoning is that we couldn't destroy our phones with rogue code. What, code such as task manager, doom, gnuboy & countless others :?: Take away all this just to protect an idiot who might put a virus onto the phone :?:

Imagine if you could only install Microsoft approved applications on the desktop version of windows. The biggest thing for users to look forward to would be the next version of solitaire. Only it wouldn't because Microsoft would have died off years ago.

With something as potent and as flexable as symbian to compete with Orange/Microsoft cannot afford to go down this route.

I could conceive that Orange may want to fix the hole because of the supposed additional tech. support overheads. However, consider that someone has to read a forum like this just to get it unlocked in the first place. That person would then have access to an abundance of knowledge far in excess of what tech support possess anyway, so why would they call Orange :?:

Speaking of tech support, surely Orange would be better advised to plough money into that rather than making updates that will only annoy people :roll: .

RANT OVER

Sorry about the long post, but this just had to be said ;)

[Guest Syvwlch]

Hear, hear!

[Guest martinmacca]

wasnt this discussed 2 months ago! look at the date on the news topic - january 16th :)

[Guest Ed]

YESSSS!!!!!!!

I really hope they rush this out fast so that we can once again enjoy LOCKED SPVS!!!!!!!!  

Properly funny :)

Seriously though, what is the point in providing an update to a 'problem' that only occurs if a user works hard to create it  :?:  This update would create more problems than it solves. At the moment the situation with regards to application signing is:

MoDaCo'ers = Happy because we can unlock our phones  :lol:  

Normal users = Not an issue because they don't want to unlock anyway  :(  

But after such an update:

MoDaCo'ers = F**kin p***ed off because we can only run apps which the brilliant people @ Orange think we should be allowed to run  :x  

Noraml users = Same as before because they did'nt want to unlock  :(  

Overall a loss. (Note that sad represents the boring traditional business man  :wink: )

Condensed version of exactly what I couldn't be arsed to type once. Good lad.

[Guest martinmacca]

there we go :) http://www.modaco.com/viewtopic...hlight=security

[Guest Myke]

wait.. so this major security issue is just people decerting their phones? the fix they release will stop users from doing this?! ahahhahha thats not a fix!

[Guest Syvwlch]

wait.. so this major security issue is just people decerting their phones?  the fix they release will stop users from doing this?! ahahhahha thats not a fix!

In the end, Marketing decided to call it an update. At least in Danish.

[Guest Richie M]

Yeah, i don't think we'll all be as keen to install the next UK update :cry:

[Guest yatpeak]

Also, they tried to put a patch on the Danish update, and someone figured out how to get past it within a few days, they're obviously not toogood at patching things... :)

Wyatt

[Guest Myke]

it doesnt matter what they do, we will find a way around it!!! :)

[Guest Big Ron - No Longer a Mem]

I could conceive that Orange may want to fix the hole because of the supposed additional tech. support overheads. However, consider that someone has to read a forum like this just to get it unlocked in the first place. That person would then have access to an abundance of knowledge far in excess of what tech support possess anyway, so why would they call Orange.

Speaking of tech support, surely Orange would be better advised to plough money into that rather than making updates that will only annoy people.

Why would "ploughing money into technical support" make any difference to applications that Orange DON'T support? You download software, you screw up your phone... it's NOT Orange's problem - it's yours alone. Their only worry connected with the event might be that they sold you a phone at a subsidized cost expecting to reap profits from selling you airtime... and now that you've bust your phone, you've stopped BUYING airtime!

The SPV-and-tech-support issue deserves its own thread. Orange has 17m phones and users out there, most of which are used to do simple things (like make voice calls) and the vast majority of "problems" handled by tech support are SIMPLE things that don't require rocket scientists to solve. The SPV opened a whole new can of worms - a phone that by its very nature, was going to be used to do comparatively COMPLICATED things. So, it was going to generate comparatively complicated problems - problems quite unlike those generated by 99% of previous phones (except for the odd customer who wants to use his phone as a modem to surf the web using an Ipaq or laptop.) Their CSRs are comparatively GOOD on a wide range of "simple problems" (which is all they need to be most of the time, given that most customer's problems ARE simple) Ring 156, and the same CSR will sort out basic technical problems, billing problems, apply roaming to your account... without even transferring you. But it's a "one size fits all" solution that's not 100% appropriate to what should have been obvious as SPV owners' needs. MY thought was that they needed a dedicated SPV team. Instead, they spent the money on tacking a couple of hours "general" training onto every tech support member's time. "Wide and shallow" rather than "Narrow and deep" which was what was needed. But Orange had never DONE "Narrow and deep" before, didn't know how, and couldn't hang on to the new staff who could. The real techies were nearly always the first to quit from each new intake. Anyone know how the January 2003 intake are doing? September and October 2002 had lost over 50% of their members by Feb 2003.

[Guest Syvwlch]

Big Ron,

Agree 100%.

Two observations :

1. In the Help&Advice section, we spend 80% of our time (just made that up from gut-feeling, but you get the idea) sorting people out with either the de-cert process or with GPRS/MMS/Email settings for other networks. If the phone was sold unlocked, and available on all networks, these would not be issues, and there wouldn't be that much tech&support required. Not becquse of our uncertified apps, anyway.

2. The whole new can of worms that the SPV opened for Orange is the drilling of a hole in the dyke (er... not that sort of dyke, blondie) they've tried to build between us and the world outside their network. Now that we have real IP connectivity to the internet, they will start to erode just like AOL... who's really spending time on the Orange portal now that they've made the switch from WAP to PIE?

I think Orange shot themselves in the foot, and I'm interested to see how they will go about making sure they don't get gangrene. At the mo, this talk of security patches feels like they're bandaging the other leg.

[Guest Palindrome]

Brilliant!!! Funniest thing I've seen all day! Do you think they'll start a new trend in anti-updates? What next, an update to disable your keypad? Marvellous.

Hopefully they'll release the update and their download page hit counter won't make it into double figures.

[Guest vampyre69]

Someone somewhere will get a workaround failing that...

The person that wrote the update will post a workaround or provide 'service'.

Don't worry yoursleves.

When a software company adds a security anti-piracy feautre, it gets craked.

When a virus comes out a new update is released.

Folllow me? yet?

[Guest DJHope]

haha, this is a carbon copy of another topic, wait maybe ill have a search! Whoops no the search engine is too complicated!

DJ Hope

[Guest awarner [MVP]]

DJHope a link was posted already about a link, but as this topic is established and the old

topic has been dead for awhile, this one may as well keep going.

[Guest Gorskar]

Anyway, we have already seen the results of microsofts "security" patch in the latest DK update. It is still possible to circumvent certification, abliet in a more complicated way.

[Guest Chris b.a.r.f.]

Anyway, we have already seen the results of microsofts "security" patch in the latest DK update. It is still possible to circumvent certification, abliet in a more complicated way.

Indeed it is possible, but the hassle involved has put me off - I can wait a little longer, mostly due to the fact that I've only received a few insultingly low offers for my previously-for-sale SPV :)

[Guest daverow]

I spose at least the easiest way around it is not to download it in the first place. Most of the major bugs seem to be pretty much fixed on the phone now, I know I'm happy with mine. Orange must be stupid if they actually believe that we'll go to all the trouble of de-certing our phones, and then willingly download a patch so that it re-certs the phone permenantly. Haha!

[Guest pete1312]

I wonder if Orange will make this next update available to Win 98/SE/ME users :)

[Guest Chris b.a.r.f.]

I spose at least the easiest way around it is not to download it in the first place. Most of the major bugs seem to be pretty much fixed on the phone now, I know I'm happy with mine. Orange must be stupid if they actually believe that we'll go to all the trouble of de-certing our phones, and then willingly download a patch so that it re-certs the phone permenantly. Haha!

....the T9 was fixed *properly* in DK-update2 (i.e. it remembers words through a power-cycle), that's worth far more to me than a decertified phone.

I really only use my phone as a phone (it's really true :wink: ) and MP3 player - all the games I've tried for it are useless simply because of the control method (I'm not lambasting the quality of the games themselves here), and the various freeware apps *are* nerdy fun for a while but there ain't enough hours in my day to use farting about with phone software. It's more the whole principle of Orange's app-signing that pisses me off, especially when the same company sells the P800 in de-cert form :evil:

Back On-topic now - I wonder if, when Orange realize that all their attempts to app-lock the SPV fail, they'll end up giving in and allowing users to remove the certification requirement? It's a thought...