Security researchers have released proof-of-concept code that exploits vulnerabilities in MMS implementations in mobile phones running mobile versions of Windows. The vulnerability was discovered six months ago by security researcher Collin Mulliner, who published the exploit at the Chaos Communication Congress in Berlin last week in a bid to force manufacturers to deal with the issue.
The flaw involves buffer overflow vulnerabilities in the SMIL (Synchronized Multimedia Integration Language) protocol in MMS messages. As a result long MMS messages appended with malware may crash phones in such a way as to deposit hostile code in the memory of targeted devices. The IPAQ 6315 and i-mate PDA2k are confirmed as vulnerable but other devices running Pocket PC 2003 and Windows Smartphone 2003 are also likely to be at risk of attack using the technique.