Windows Phone Becomes Latest Microsoft OS to Suffer From "Nuking"
December 13, 2011 1:14 PM
comment(s) - last by
Hackers can reset your phone via SMS, Facebook, or Windows Live Messenger communications
Some of you may have fond memories of "nuking" local Windows 95 machines using urgent pointer (URG) based TCP "winnuke" tools (e.g. "NukeIt") or Windows 98 machines via large fragmented IGMP packets with malformed headers. Now Microsoft's Windows Phone has become the latest in a long line of Microsoft Corp. (
) operating systems to be "hosed" by malicious traffic.
The flaw in Windows Phone, which affects the
latest build of Windows Phone 7.5 Mango
, as well as previous versions, was first discovered by Windows Phone hacker
. Rather than following in the tradition of hackers of yore, he worked with the site
to report the bug and securely disclose it to Microsoft.
The flaw appears to affect all Windows Phones, regardless of the manufacturer or model.
The attack works by sending a message to the Windows Phone message hub application. As this app accepts a variety of messages, the attacking message can be in the form of a SMS text message, a Facebook message, or a Windows Live Messenger hub.
When the message is received, errors in the handling in the hub cause the message to lock the device, killing whatever work you had in process. You can recover via a reboot.
However, your message hub app will stay dead. It is unclear if there is a fix for restoring messaging functionality, but barring a reformat of your device, the affected phone may be unable to message. Worse yet, if you have a live tile from the contact that sent the message, once it updates post-reboot it will trigger another system lock-up. There is a workaround for this -- quickly navigate to the homescreen and remove/unpin the tile before it "flips" (updates).
Here's a video, courtesy of
of the attack in action:
For now, as mentioned, this severe vulnerability's implementation details are under wraps, pending a fix, so Windows Phone users should only be mildly concerned.
Again, this vulnerability appears to be solely capable of denial of service, and does not affect your system security. In that regard it appears to be very similar to the aforementioned "winnuke" attacks, or the more recent "
" messaging attack demoed against Android and iOS by researchers Collin Mulliner, a PhD student in the
Security in Telecommunications
department at the
Technische Universitaet Berlin
, an undergraduate student at the same institution.
These attacks differ from security-breach attacks, like the
SMS attack that affected older unpatched version of iOS
, first discovered by Charlie Miller. The key difference is that those kinds of attacks utilize flaws in messaging apps which allow the execution of arbitrary code as a path to root control; where as attacks like the one in this article exploit flaws in message handling which do not execute arbitrary code, but do trigger some sort of catastrophic system failure.
This article is over a month old, voting and posting comments is disabled
12/15/2011 8:01:20 PM
LMAO, just as Microsoft tries to bash any other product on security, some new critical flaw happens. Lol. On the desktop, people are quick to claim that Microsoft suffers the most because it has the biggest market share and is therefore the largest target. In the mobile space however, Android and iOS are the two current kings, and yet the old trend continues - Microsoft suffers from critical security flaws while everyone else is nice and solid. Hmmmmmmmm.....
"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken
Windows Phone 7.5 "Mango" Now Rolling Out to Customers
September 27, 2011, 9:40 PM
Apple's iPhone Executes SMS Binary Code as Root, Fix Won't Come Until End of Month
July 2, 2009, 3:38 PM
Quick Note: Apple Watch to Get Brick and Mortar Boost From Best Buy
July 27, 2015, 3:00 PM
Can HTC Save Its "RE Grip" Smartband After Its Inexplicable Failure Launch?
July 17, 2015, 2:29 PM
Facebook's "Moneypenny" is Cross Platform Siri on Steroids
July 15, 2015, 3:59 PM
Apple Watch Sales Have Plummeted
July 8, 2015, 5:01 PM
Consumer Reports: Galaxy S6 and iPhone 6 Can't Keep Up w/ Galaxy S5
July 6, 2015, 4:57 PM
Apple iOS 8.4 Rolls Out w/ Fix to Crash-Causing Unicode Text
June 30, 2015, 3:24 PM
Most Popular Articles
Microsoft July 29 Windows 10 Launch: Freebies, Rollout, and What's Next
July 21, 2015, 2:40 PM
As iPad Sales Wane and Watch Flops, iPhone Saves Apple's Profit With Its Heroics
July 22, 2015, 6:13 PM
Editorial: Reddit Allows Itself to be Hijacked as a Hate Platform For Racist Bigots
July 21, 2015, 6:32 PM
Mozilla and Facebook to Adobe: It's Time to Kill Flash
July 20, 2015, 6:30 PM
Google Scores Bizarre Court Win as Disgruntled Android Users' Lawyers Ruin Case
July 16, 2015, 5:58 PM
Latest Blog Posts
Sceptre Airs 27", 120 Hz. 1080p Monitor/HDTV w/ 5 ms Response Time for $220
Dec 3, 2014, 10:32 PM
Costco Gives Employees Thanksgiving Off; Wal-Mart Leads "Black Thursday" Charge
Oct 29, 2014, 9:57 PM
"Bear Selfies" Fad Could Turn Deadly, Warn Nevada Wildlife Officials
Oct 28, 2014, 12:00 PM
The Surface Mini That Was Never Released Gets "Hands On" Treatment
Sep 26, 2014, 8:22 AM
ISIS Imposes Ban on Teaching Evolution in Iraq
Sep 17, 2014, 5:22 PM
More Blog Posts
Copyright 2015 DailyTech LLC. -
Terms, Conditions & Privacy Information