Security update for Windows Phone devices in May

Microsoft is preparing to release a security update for their Windows Phone 7 devices, in an attempt to block certain SSL certificates, that may potentially hamper users of the devices. At the time of writing, there are nine known domains that appear to exist fraudulently, in order to perform 'phishing' attacks on unfortunate users. Microsoft previously warned of the following sites:

  •     login.live.com
  •     mail.google.com
  •     www.google.com
  •     login.yahoo.com (3 certificates)
  •     login.skype.com
  •     addons.mozilla.org
  •     “Global Trustee”

Since warning of these sites, Microsoft released an update for all supported Windows operating systems, in order to minimise any risk they may have. The SSL certificates could be used for a number of different purposes - all of them malicious. Microsoft believe that these SSL certificates could be used to spoof content, perform phishing attacks, or perform 'man-in-the-middle' attacks against different internet browsers. Comodo released a blog post about the SSL certificates in March, though Microsoft are yet to release any updates against the SSL certificates for Windows Phone 7 devices.

While it is currently unclear how Microsoft intends to distribute the patches for their handsets, it is possible that they will use the 'over-the-air' update system, as opposed to a major firmware update. Microsoft's Trustworthy Computing manager, Bruce Cowper, had this to say:

Fraudulent digital certificates are not a Microsoft security vulnerability. We have been working to develop a mitigation update for Windows Phones.

Interestingly, Comodo themselves appear to believe that the attacks could be politically-motivated, or state-driven. Melih Abdulhayoglu, Comodo's founder, had this to say about the attacks:

Well, one of the origin of the attack that we experienced is from Iran, what is being obtained would enable the perpetrator to intercept web based email/communication and the only way this could be done is if the perpetrator had access to the Country’s DNS infrastructure (and we believe it might be the case here). Of course this is our interpretation of the situation.

First time we are seeing a “state funded” attack against the “Authentication” infrastructure. The Threat Model is changing and Comodo had already initiated a proposal for new standards in 2010 which would help mitigate some of these attacks. We will make sure to double our efforts in getting industry wide acceptance to these much needed standards so that we can continue to defend our security and freedom.

It is possible that the same people who hijacked Comodo's website in late March may have been responsible for these further attacks. While the Windows Phone 7 update release is not known, Winrumors suggest that it could be releasing on May 3rd, 2011.

Report a problem with article
Previous Story

TechSpot: T-Mobile G-Slate / LG Optimus Pad Tablet Review

Next Story

Nokia aims to release 12 Windows Phone devices in 2012

14 Comments

Commenting is disabled on this article.

i guess the question is if this kind of security/minor (non-feature) update is able to bypass telcos and push out update asap... since this is security issue... hopefully they can skip telcos...

lim3918 said,
i guess the question is if this kind of security/minor (non-feature) update is able to bypass telcos and push out update asap... since this is security issue... hopefully they can skip telcos...

I agree. Hopefully it will be over the air...

Meph said,
With this update, we can test them to see whether they have fixed what went wrong last time.

Well they've obviously fixed it if they've managed to get the previous update out

~Johnny said,

Well they've obviously fixed it if they've managed to get the previous update out

It will be interesting to see if a security update like this will have to wait for "Carrier testing"; I hope it will not, it is unacceptable that the device security is held hostage of carriers.

stablemist said,
3rd of May for unlocked/dev/unbranded devices and 1+ months later for carrier devices.

I don't expect this to be any sorta ROM flashing type update so it shouldn't need carrier testing, it doesn't change anything deep in the OS etc.

GP007 said,
I don't expect this to be any sorta ROM flashing type update so it shouldn't need carrier testing, it doesn't change anything deep in the OS etc.

Of course the previous updates didn't change anything deep in the OS either

mog0 said,

Of course the previous updates didn't change anything deep in the OS either

There's an argument that adding C&P changed things enough. SL3 which is what most of WP7 is based on doesn't have native clipboard support (something they added in v4). So adding that, or in this case backporting it, is a deep enough change I'd say.

GP007 said,

There's an argument that adding C&P changed things enough. SL3 which is what most of WP7 is based on doesn't have native clipboard support (something they added in v4). So adding that, or in this case backporting it, is a deep enough change I'd say.


As well as adding a CDMA stack...

GP007 said,

There's an argument that adding C&P changed things enough. SL3 which is what most of WP7 is based on doesn't have native clipboard support (something they added in v4). So adding that, or in this case backporting it, is a deep enough change I'd say.


They didn't add Clipboard support to the Silverlight API, that's not coming until Mango. The clipboard has been available in coredll since Windows Phone 7 released, the DLLImport project on XDA even has support for calling GetClipBoardData and SetClipBoardData