We explain

Do you need to use S/MIME for your email?

Cellular security

T-Mobile quietly upgrades 2G network security

We teach you

How Microsoft Account two-step verification works

Here we go again

Dropbox accounts hacked, service not to blame for leak

Hypothetical threat watch

New malware exploits USB, but isn't really that scary

Microsoft News

Microsoft issues security advisory affecting all versions of Windows, Windows Phone

General News

UK government set to rush through emergency surveillance legislation

General News

UK officials follow US counterparts by banning electronics that have no charge from boarding flights

Microsoft News

Microsoft restores control of seized domains to No-IP

Windows 8 Apps+Games

1Password for Windows gets much needed 4.0 update

Apps

Hidden Pineapple teases new app to revolutionize email on Windows Phone

Editorials

Using strong passwords and keeping your online self secure

General Accessories

Bought a Lumia 630 in India? You can also get a discount on Nokia Coloud headphones!

General News

First smartphone 'kill switch' bill in the US passed by… Minnesota

Apps

Secure your passwords and critical information with Enpass Password Manager

General News

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Apps

John McAfee's Chadder aims to keep your messages private, lands on Windows Phone before iOS

Windows

Microsoft issues security patch for Internet Explorer

Microsoft News

Microsoft issues warning about limited, targeted attack vulnerability in Internet Explorer

Windows

Windows 8.1 Update 1 enterprise rollouts slowed due to security bug

< >
32

Security - Windows Phone fails to check certificate Common Names when synchronising email using SSL

WP Security

Windows Phone currently suffers from a security vulnerability when synchronising email to and from POP3 / IMAP / SMTP servers using SSL, according to a recent filing over at the US-CERT (United States Computer Emergency Readiness Team) website. The issue is pinpointed to Microsoft's mobile OS not verifying CN (Common Name) of server certificates when connecting to servers using SSL.

WP Central

This opens up a potential threat from a man-in-the-middle attack, which would enable someone to view login or session data in the corresponding protocol (SMTP, POP3, etc.) Good news is Microsoft is reportedly aware of the security vulnerability and plans to release an update to address the issue.

Microsoft is looking to crank up security in its products, particularly Windows Phone 8. We've previously looked at how the company will be improving security in the next major version of Windows Phone.

Source: US-CERT; thanks, Yotsuba, for the heads up!

-
loading...
-
loading...
-
loading...
-
loading...

Reader comments

Security - Windows Phone fails to check certificate Common Names when synchronising email using SSL

32 Comments

You mean like build 7740, the SSL certificate revocation that has been available for 9 months? Yeah, my Samsung Focus on AT&T still hasn't gotten that. The disappearing keyboard fix, never got it. Tango, never got it. I've never been more furious at AT&T than I am regarding their lack of concern over distributing security patches and bug fixes.

I could. Or AT&T could just distribute the updates that everyone else has had for 3+ months. What are all the less-knowledgable customers supposed to do about it? They've had a disappearing keyboard for a year (since 9/27/11) and they won't know how to use the CAB loader, or even what a CAB loader is. Moreover, they likely have no idea that their phone has recognized a revoked SSL certificate as legitimate since January. These are legitimate problems, not even new features, that customers deserve to have fixed. It's just not right. It really isn't.

OR you could just do the method everyone else does to get updates quicker. Unplug the cord while searching for Updates in Zune :) Worked for me

Like I said, that's fine for people like you and me. But not everyone feels comfortable doing that. In fact, I imagine most customers have no idea that these updates have been available for 6-12 months and their carrier chose not to distribute them. Those customers only know one way to get updates: when their phone notifies them that they're available. And until AT&T does that, those people are experiencing a buggy OS that they likely blame on Microsoft, when in reality Microsoft has long since fixed those issues and AT&T simply neglected to even make that known.

Xpxp2002 you have a point there why should you have to go through all that trouble when they could just released the update. To the regular new users that purchased a device with a disappearing keyboard & thinking it can't get fix I'm sure they will not want to purchase another windows phone thanks to at&t.

I agree that the carriers suck. However, let's not let Microsoft off the hook for the disappearing keyboard bug. That is 100% their fault and it should have been caught in QA.

I give Microsoft a pass on this because everybody makes mistakes and bugs happen in any software. They worked relatively quickly to make the patch and get it out there, so I can't really blame them. The sad part is that it they charged nothing to carriers or consumers to update their devices (unlike old Windows Mobile devices where OEMs passed on a $40 upgrade fee when they decided to make an upgrade available).
 
Yet, AT&T, with a free update that would help make their consumers' experiences better opted not to offer it. Then they turn around and call them the "premier partner" for Windows Phone. It's a slap in the face is what it is. I've always defended AT&T to friends and family who criticize it because their coverage is best here and they have done more than the other US carriers to bring Windows Phone devices to market. But sadly, they do next to nothing to support those devices once they leave the store.

Still Does not work for everyone... My LG will not update and I have 2 email accounts that use SSL...
I love my WP7 phone (and even got the one for my wife) but come the first of the year WE both will geet a WP8 device on anybody but AT&T.
What carrier won't love to have 2 unlimted data users for a customer?
Not the AT&T death star.

Shouldn't have to do anything short of plug your phone in if Att did their jobs. Thank god for wp8 and OTA updates. This will all become a thing of the past hopefully.

This [unlocking the phone] isn't even remotely the correct solution. The correct solution is for the carriers to either provide proper support, or get out of the way completely.

@xpxp2002

Call AT&T Customer Care and specifically mention the KNOWN vulnerability.

Let them know you want your phone patched or a replacement with a patched device.

If they don't respond tell them to escalate the call until you get a senior rep. If he or she is not helpful mention the fact they are responsible for the security. If that does not work get a lawyer and start a class action lawsuit.

They will happily give you a new Lumia or other device to keep you happy and the lawyers off their back.

@robert-it I think if all the customers that own Android devices would call regarding the security threats would end up getting a windows phone.

I'm upgrade-eligible, so do you still think so? I've been waiting for the Lumia 920. I really don't need a new phone at this moment, and can certainly live without it for another 2 months. I'm just frustrated that Windows Phone has been a less-than-excellent experience for most AT&T customers only because AT&T chose not to distribute updates that have been available for months. And I say that with reservation. In all reality it's closer to a year.

OMG, if you have a gen 1 Focus you are in posession of the single easiest device to uptate to Tango. Grow up or stop complaining, though your complaintes against ATT are legitimate.

That's not the point. I also have a 1st gen device that's easy to unlock and mess with, even though it's unlocked and I get updates relatively quickly. He's saying that you don't assume that you need to do these thing yourself when you buy a WP device. That's what Android people do. When a carrier sells a phone it has to provide support for it, even if it's just to correct critical flaws. AT&T chose to skip a critical update that fixes serious bugs that affect the end user experience and security flaws and doesn't matter where you are in the world, that's a kick in the balls to a customer. The worst part is, knowledgeable people like you, me or him know that this happens, most people don't.

These are the sort of updates Microsoft should enforce. I say if a carrier is willingly blocking a security update to their customers, they should be liable

This is much harder to attack then it sounds. In order to perform the attack you have to be on the network between the phone and the server.

Good luck getting that done!

FUD Article - much harder to accomplish then they make it sound!!!!!

At&t does that so they cab sell more iphones/androids, just like ford got someone inside Toyota to sabotage their cars with faulty pedals

You don't have to wait for AT&T a lot of us updated our phones from information from the XDA-Developers website... The one I used wasn't a hack but simple thing of changing some settings with the Zune software...
Also Toyota sabotaged themselves with old crappy foot pedal designs and customers using after market floor pads that didn't stay in place because they lacked the safety feature of having something to lock them in place...