BugTraq
Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Feb 22 2007 02:51AM
chgsupra1 aol com (1 replies)
RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Feb 22 2007 07:12PM
Roger A. Grimes (roger banneretcs com) (1 replies)
RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Feb 22 2007 10:55PM
McCarty, Eric C. (emccarty er ucsd edu) (1 replies)
This vulnerability also assumes the attacker has physical access to the
device. Once a device is stolen or accessed physically by an attacker it
will be cracked, one way or another.

Remote Device policies should dictate the importance of notifying IT
staff immediately if a device is lost or stolen so it can be remotely
"bricked".

I agree that more and more companies are lacking in responsibility for
their security vulnerabilities. Yet often times mitigating factors can
assist a company in determining the priority to put on patches or
updates. For example the fact that someone needs physical access to
exploit this security risk certainly dictates a much lower priority for
patching.

Eric McCarty

-----Original Message-----
From: Roger A. Grimes [mailto:roger (at) banneretcs (dot) com [email concealed]]
Sent: Thursday, February 22, 2007 11:13 AM
To: chgsupra1 (at) aol (dot) com [email concealed]; bugtraq (at) securityfocus (dot) com [email concealed]
Subject: RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

Is it truly an "emergency call" if you need to lookup the number? Why
not put in your valid password and make a regular call.

Security is a lot about expectations. If a device is locked or
password-protected, the expectation is that all the data is fully
protected all the time. If it's not, then communicate it in the
documentation so I can make a valid marketing choice when buying a
product.

If the concern is that some people would like to have this feature
as-is, make it a checkmark decision on the Preferences page. Then both
sides are happy.

The bigger issue isn't this particular bug. It's a symptom of more and
more companies, who when faced with a security problem just decide not
to fix it. I think that as long as the product is still expected to be
reasonably used, or unless a shorter warranty period is communicated, if
a security bug gets revealed, it should be fixed. Note, we're not
arguing how long they should have to fix it, but rather if they will fix
it ever. That's the central issue. And it's one I'll personally
remember when purchasing my next Treo product. I may buy another Treo
product, I don't know, but this will absolutely be on my mind as I look
at competitor devices.

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger (at) banneretcs (dot) com [email concealed]
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************

-----Original Message-----
From: chgsupra1 (at) aol (dot) com [email concealed] [mailto:chgsupra1 (at) aol (dot) com [email concealed]]
Sent: Wednesday, February 21, 2007 9:52 PM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

I can understand why Palm does not want to fix it. This is my opinion,
it stems from feature richness: The initial state the phone is lock and
then you received a call, then it provides the user the ability to
search for contact/number/meeting/memo...etc (header/prefix only). If
this Find feature is blocked, then user would have to hang-up the call
and unlock the phone to retrieve the info, then call the user back. I
have run into this situation on many occasion, since I did not know of
Find feature can be used in this mode.

The SecurityLockFindFix.prc is available to block the Find feature, but
for the non-security minded person flexibility may way overshadow
security, but that is a personal matter. There is no personal choice
when the Palm Treo is corporate own, so the fix should be applied.

[ reply ]
RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Feb 26 2007 11:35PM
Roger A. Grimes (roger banneretcs com)


 

Privacy Statement
Copyright 2010, SecurityFocus