Microsoft ActiveSync Weak Password Obfuscation Information Disclosure Vulnerability

Bugtraq ID:	25976
Class:	Design Error
CVE:	CVE-2007-5460
Remote:	No
Local:	Yes
Published:	Oct 15 2007 12:00AM
Updated:	Oct 15 2007 11:08PM
Credit:	Ollie Whitehouse of Symantec discovered this issue.
Vulnerable:	Microsoft Windows Mobile 5.0 Microsoft ActiveSync 4.1
Not Vulnerable:	Microsoft Windows Mobile 6.0

Microsoft ActiveSync Weak Password Obfuscation Information Disclosure Vulnerability

Microsoft ActiveSync is prone to an information-disclosure vulnerability because it fails to adequately obfuscate sensitive information.

Attackers can exploit this issue to gain PIN or password data for devices docked via USB.

Software that uses ActiveSync 4.1 is vulnerable; other versions may also be affected.

Microsoft ActiveSync Weak Password Obfuscation Information Disclosure Vulnerability

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:[email protected].

Microsoft ActiveSync Weak Password Obfuscation Information Disclosure Vulnerability

Solution:
The vendor has addressed this issue in Windows Mobile 6. Please see the references for more information.

Microsoft ActiveSync Weak Password Obfuscation Information Disclosure Vulnerability

References:

• Windows Mobile Homepage (Microsoft)
  
• SYMSA-2007-010: Microsoft ActiveSync 4.x Weak Password Obfuscation ([email protected])