| Date: | | | | Thunderbird, or Intellisync. |
| 1 June, 2008 | | | | Starting with Windows Vista, the latest release of |
| Name of risk: | | | | the Windows operating system, ActiveSync has |
| ActiveSync. | | | | been replaced with the Windows Mobile Device |
| Manufacturer (if relevant): | | | | Center. |
| Microsoft Corp. | | | | The software is free to download from the |
| Description: | | | | Microsoft ActiveSync website. Support is usually |
| ActiveSync is a synchronization program developed | | | | provided by the device manufacturer and the cost |
| by Microsoft. It allows a mobile device to be | | | | for that support depends on its policy. |
| synchronized with either a desktop PC, or a server | | | | Vulnerabilities |
| running FirstClass Collaboration Suite, Microsoft | | | | Two vulnerabilities were identified in Microsoft |
| Exchange Server, PostPath Email and Collaboration | | | | ActiveSync (version 3.7.1 and prior), which could be |
| Server, Kerio MailServer, Zimbra or Z-push. Only | | | | exploited by remote attackers to disclose sensitive |
| Personal information manager (PIM) data (Email | | | | information or cause a denial of service. |
| Calendar/Contacts) may be synchronized with the | | | | The first issue is due to a design error when sending |
| Exchange Server. (Tasks may also be synchronized | | | | authentication responses, which could be exploited by |
| with Exchange Server on Windows Mobile 5.0 | | | | attackers to enumerate valid equipment IDs by |
| devices.) The PC synchronization option, however, | | | | sending specially crafted requests to port 5679 and |
| allows PIM synchronization with Microsoft Outlook, | | | | examining the responses. |
| along with Internet "favorites", files, and tasks, | | | | The second vulnerability occurs when numerous |
| amongst other data types. Supported mobile devices | | | | attempts are made to initialize with ActiveSync (port |
| include PDAs or Smartphones running Windows | | | | 5679/TCP), which could be exploited by remote |
| Mobile, or the Windows CE operating system, along | | | | attackers to cause a denial of service. |
| with devices that don't use a Microsoft operating | | | | Microsoft ActiveSync 4.1, as used in Windows Mobile |
| system, such as the Symbian and iPhone platforms. | | | | 5.0, uses weak encryption (XOR obfuscation with a |
| ActiveSync also provides for the manual transfer of | | | | fixed key) when sending the user's PIN/Password |
| files to a mobile device, along with limited backup | | | | over the USB connection from the host to the |
| restore functionality, and the ability to install and | | | | device, which might make it easier for attackers to |
| uninstall mobile device applications. | | | | decode a PIN/Password obtained by sniffing or |
| At a special iPhone SDK launch event on March 6th, | | | | spoofing the docking process. |
| 2008, Apple announced that it would use ActiveSync | | | | Systems Affected: |
| technology to allow for synchronization between | | | | Microsoft Windows. |
| iPhones and Microsoft Exchange Server. | | | | Level of risk: |
| Alternative software that allows mobile devices to | | | | Less Critical (2). |
| synchronize non-Microsoft PIMs with a PC is also | | | | Type of threat: |
| available; such as FinchSync and BirdieSync for | | | | Denial of service attacks, Sniffing. |