http://www.siemensjobcam.com/windows-mobile-activesync-replacement/
ActiveSynch two vulnerabilities in Microsoft's program Sychnchronization between PC and mobile devices
Date:
June 1, 2008
Name of risk:
ActiveSync.
Manufacturer (if applicable):
Microsoft Corp.
Description:
ActiveSync is a synchronization program developed by Microsoft. It allows a mobile device to be synchronized with a desktop or a server running FirstClass Collaboration Suite, Microsoft Exchange Server, PostPath email and collaboration servers, Kerio MailServer, Zimbra or push-Z. Only the personal information manager (PIM) data (email / calendar / contacts) can be synchronized with the Exchange Server. (Tasks can also be synchronized with Exchange Server on Windows Mobile 5.0.) Option PC synchronization, however, allows PIM synchronization with Microsoft Outlook, along with Internet "favorites", files and tasks between types of data. Mobile devices include PDAs or Smartphone with Windows Mobile or Windows CE operating system, along with devices that do not use an operating system Microsoft, such as Symbian and iPhone platforms. ActiveSync also provides manual file transfer to a mobile device, along with limited backup and restore functionality and the ability to install and uninstall mobile device applications.
At a special event to launch iPhone SDK on March 6, 2008, Apple announced ActiveSync to use technology to enable synchronization between iPhone and Microsoft Exchange Server.
Alternative software that enables mobile devices to synchronize non-Microsoft PIMs with a PC is also available, as BirdieSync FinchSync and Thunderbird, or Intellisync.
Starting with Windows Vista, latest version of the Windows operating system, ActiveSync has been replaced by the Windows Mobile Device Center.
The software can be downloaded free from Microsoft website ActiveSync. The help is generally provided by the manufacturer of the device and the cost of this support depends on your policy.
Vulnerabilities
Two vulnerabilities were identified in Microsoft ActiveSync (version 3.7.1 and earlier), which could be exploited by malicious people to disclose sensitive information or cause a denial of service.
The first issue is due to a design error when sending authentication responses, which could be exploited by attackers to enumerate valid equipment IDs by sending specially crafted requests to port 5679 and review the answers.
The second vulnerability occurs when numerous attempts are made to initialize with ActiveSync (port 5679/TCP), which could be exploited by remote attackers to cause a denial of service.
Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a wrench) when sending the user's PIN / Password via the USB connection from your computer to the device, which could make it easier for hackers to decode a PIN / Password obtained inhalation or spoofing the pairing process.
Systems Affected:
Microsoft Windows.
Risk Level:
Less critical (2).
Type of threat
Denial of service attacks, sniffing.
Link:
http://en.wikipedia.org/wiki/ActiveSync
About the Author
SynCE: ActiveSync replacement for Linux