The Symantec Security Response Weblog has posted a note warning that an exploit is in the wild that uses the multimedia messaging service (MMS) as a vector. MMS are similar to the SMS but carry multimedia information such as text, sound, pictures and short videos.
The warning is a follow up on a previously disclosed vulnerability found by researcher Collin Mulliner, who gave an updated version of his presentation titled "Advanced Attacks Against PocketPC Phones".
One of the vulnerabilities he discussed had not been patched, and since Collin has released a working exploit for the vulnerability. A malformed MMS message can execute arbitrary code on a mobile device, simply by having a user view the message.
Messages sent through MMS to mobile devices can cause the device to freeze due to flaw on rendering content.
The Symantec blog claims the vulnerability has been publicly disclosed for over six months and there is no patch for it.
One of the recommendations is to install firmware updates when available, but the blog fails to mention that this is not an OS vulnerability, since MMS clients on Windows Mobile are supplied by third party developers. The client is generally available from manufacturers and consumers should put pressure on these to have the software updated.
You can't remove the program, but if you configure it with an invalid WAP gateway then the program won't be able to download any MMS, making it secure. But then you don't get the messages...
Filed under: 
Please