Security - Windows Phone fails to check certificate Common Names when synchronising email using SSL

Windows Phone currently suffers from a security vulnerability when synchronising email to and from POP3 / IMAP / SMTP servers using SSL, according to a recent filing over at the US-CERT (United States Computer Emergency Readiness Team) website. The issue is pinpointed to Microsoft's mobile OS not verifying CN (Common Name) of server certificates when connecting to servers using SSL.

This opens up a potential threat from a man-in-the-middle attack, which would enable someone to view login or session data in the corresponding protocol (SMTP, POP3, etc.) Good news is Microsoft is reportedly aware of the security vulnerability and plans to release an update to address the issue.

Microsoft is looking to crank up security in its products, particularly Windows Phone 8. We've previously looked at how the company will be improving security in the next major version of Windows Phone.

Source: US-CERT; thanks, Yotsuba, for the heads up!

Rich Edmonds
Senior Editor, PC Build

Rich Edmonds was formerly a Senior Editor of PC hardware at Windows Central, covering everything related to PC components and NAS. He's been involved in technology for more than a decade and knows a thing or two about the magic inside a PC chassis. You can follow him on Twitter at @RichEdmonds.

  • It's not likely that us first Gen phone owners will get the update... Especially if we're with att..!
  • If you got tango... You'll get this one... It is a security flaw, they'll want to patch that one...;)
  • You mean like build 7740, the SSL certificate revocation that has been available for 9 months? Yeah, my Samsung Focus on AT&T still hasn't gotten that. The disappearing keyboard fix, never got it. Tango, never got it. I've never been more furious at AT&T than I am regarding their lack of concern over distributing security patches and bug fixes.
  • I'm sure you could unlock your Samsung to get unofficial updates
  • I could. Or AT&T could just distribute the updates that everyone else has had for 3+ months. What are all the less-knowledgable customers supposed to do about it? They've had a disappearing keyboard for a year (since 9/27/11) and they won't know how to use the CAB loader, or even what a CAB loader is. Moreover, they likely have no idea that their phone has recognized a revoked SSL certificate as legitimate since January. These are legitimate problems, not even new features, that customers deserve to have fixed. It's just not right. It really isn't.
  • It should be criminal for ATT to block security updates. Thank goodness I will be able to upgrade to wp8...
  • OR you could just do the method everyone else does to get updates quicker. Unplug the cord while searching for Updates in Zune :) Worked for me
  • Like I said, that's fine for people like you and me. But not everyone feels comfortable doing that. In fact, I imagine most customers have no idea that these updates have been available for 6-12 months and their carrier chose not to distribute them. Those customers only know one way to get updates: when their phone notifies them that they're available. And until AT&T does that, those people are experiencing a buggy OS that they likely blame on Microsoft, when in reality Microsoft has long since fixed those issues and AT&T simply neglected to even make that known.
  • Xpxp2002 you have a point there why should you have to go through all that trouble when they could just released the update. To the regular new users that purchased a device with a disappearing keyboard & thinking it can't get fix I'm sure they will not want to purchase another windows phone thanks to at&t.
  • I agree that the carriers suck. However, let's not let Microsoft off the hook for the disappearing keyboard bug. That is 100% their fault and it should have been caught in QA.
  • I give Microsoft a pass on this because everybody makes mistakes and bugs happen in any software. They worked relatively quickly to make the patch and get it out there, so I can't really blame them. The sad part is that it they charged nothing to carriers or consumers to update their devices (unlike old Windows Mobile devices where OEMs passed on a $40 upgrade fee when they decided to make an upgrade available).
    Yet, AT&T, with a free update that would help make their consumers' experiences better opted not to offer it. Then they turn around and call them the "premier partner" for Windows Phone. It's a slap in the face is what it is. I've always defended AT&T to friends and family who criticize it because their coverage is best here and they have done more than the other US carriers to bring Windows Phone devices to market. But sadly, they do next to nothing to support those devices once they leave the store.
  • Still Does not work for everyone... My LG will not update and I have 2 email accounts that use SSL...
    I love my WP7 phone (and even got the one for my wife) but come the first of the year WE both will geet a WP8 device on anybody but AT&T.
    What carrier won't love to have 2 unlimted data users for a customer?
    Not the AT&T death star.
  • Shouldn't have to do anything short of plug your phone in if Att did their jobs. Thank god for wp8 and OTA updates. This will all become a thing of the past hopefully.
  • This [unlocking the phone] isn't even remotely the correct solution. The correct solution is for the carriers to either provide proper support, or get out of the way completely.
  • @xpxp2002 Call AT&T Customer Care and specifically mention the KNOWN vulnerability. Let them know you want your phone patched or a replacement with a patched device. If they don't respond tell them to escalate the call until you get a senior rep. If he or she is not helpful mention the fact they are responsible for the security. If that does not work get a lawyer and start a class action lawsuit. They will happily give you a new Lumia or other device to keep you happy and the lawyers off their back.
  • @robert-it I think if all the customers that own Android devices would call regarding the security threats would end up getting a windows phone.
  • I'm upgrade-eligible, so do you still think so? I've been waiting for the Lumia 920. I really don't need a new phone at this moment, and can certainly live without it for another 2 months. I'm just frustrated that Windows Phone has been a less-than-excellent experience for most AT&T customers only because AT&T chose not to distribute updates that have been available for months. And I say that with reservation. In all reality it's closer to a year.
  • +1 to all your posts about AT&T shafting all Focus owners. We really got screwed by AT&T.
  • This.
  • OMG, if you have a gen 1 Focus you are in posession of the single easiest device to uptate to Tango. Grow up or stop complaining, though your complaintes against ATT are legitimate.
  • That's not the point. I also have a 1st gen device that's easy to unlock and mess with, even though it's unlocked and I get updates relatively quickly. He's saying that you don't assume that you need to do these thing yourself when you buy a WP device. That's what Android people do. When a carrier sells a phone it has to provide support for it, even if it's just to correct critical flaws. AT&T chose to skip a critical update that fixes serious bugs that affect the end user experience and security flaws and doesn't matter where you are in the world, that's a kick in the balls to a customer. The worst part is, knowledgeable people like you, me or him know that this happens, most people don't.
  • 7.8 is non optional for carriers, and since updates are cumulative you'll eventually get it.
  • Awesome, another update I'll never see.
  • I'm glad I don't have any POP or IMAP accounts.  Every email account I access is available via ActivSync.
  • My Titan gives thnx in advance, probably the 7.8 concideringvpatch tempo.
  • These are the sort of updates Microsoft should enforce. I say if a carrier is willingly blocking a security update to their customers, they should be liable
  • +1
  • Does this include their own Hotmail and Outlook emails too?
  • I also would like to know the answer to this. My main account is hotmail and I have a yahoo account as secondary.
  • This is much harder to attack then it sounds. In order to perform the attack you have to be on the network between the phone and the server. Good luck getting that done! FUD Article - much harder to accomplish then they make it sound!!!!!
  • At&t does that so they cab sell more iphones/androids, just like ford got someone inside Toyota to sabotage their cars with faulty pedals
  • You don't have to wait for AT&T a lot of us updated our phones from information from the XDA-Developers website... The one I used wasn't a hack but simple thing of changing some settings with the Zune software...
    Also Toyota sabotaged themselves with old crappy foot pedal designs and customers using after market floor pads that didn't stay in place because they lacked the safety feature of having something to lock them in place...