Bugtraq mailing list archives
RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Thu, 22 Feb 2007 14:12:44 -0500
Is it truly an "emergency call" if you need to lookup the number? Why not put in your valid password and make a regular call. Security is a lot about expectations. If a device is locked or password-protected, the expectation is that all the data is fully protected all the time. If it's not, then communicate it in the documentation so I can make a valid marketing choice when buying a product. If the concern is that some people would like to have this feature as-is, make it a checkmark decision on the Preferences page. Then both sides are happy. The bigger issue isn't this particular bug. It's a symptom of more and more companies, who when faced with a security problem just decide not to fix it. I think that as long as the product is still expected to be reasonably used, or unless a shorter warranty period is communicated, if a security bug gets revealed, it should be fixed. Note, we're not arguing how long they should have to fix it, but rather if they will fix it ever. That's the central issue. And it's one I'll personally remember when purchasing my next Treo product. I may buy another Treo product, I don't know, but this will absolutely be on my mind as I look at competitor devices. Roger ******************************************************************* *Roger A. Grimes, Banneret Computer Security, Consultant *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ******************************************************************* -----Original Message----- From: chgsupra1 () aol com [mailto:chgsupra1 () aol com] Sent: Wednesday, February 21, 2007 9:52 PM To: bugtraq () securityfocus com Subject: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass I can understand why Palm does not want to fix it. This is my opinion, it stems from feature richness: The initial state the phone is lock and then you received a call, then it provides the user the ability to search for contact/number/meeting/memo...etc (header/prefix only). If this Find feature is blocked, then user would have to hang-up the call and unlock the phone to retrieve the info, then call the user back. I have run into this situation on many occasion, since I did not know of Find feature can be used in this mode. The SecurityLockFindFix.prc is available to block the Find feature, but for the non-security minded person flexibility may way overshadow security, but that is a personal matter. There is no personal choice when the Palm Treo is corporate own, so the fix should be applied.
Current thread:
- SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass research (Feb 14)
- <Possible follow-ups>
- Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass dkirker (Feb 16)
- Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass agonline . dummy (Feb 16)
- Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass chgsupra1 (Feb 22)
- RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Roger A. Grimes (Feb 22)
- RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass McCarty, Eric C. (Feb 26)
- RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Roger A. Grimes (Feb 27)
- RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass Roger A. Grimes (Feb 22)
- Re: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass chgsupra1 (Feb 22)