<<< Date Index >>>     <<< Thread Index >>>

RE: SYMSA-2007-002: Palm OS Treo Find Feature System Password Bypass



Is it truly an "emergency call" if you need to lookup the number?  Why
not put in your valid password and make a regular call.

Security is a lot about expectations. If a device is locked or
password-protected, the expectation is that all the data is fully
protected all the time. If it's not, then communicate it in the
documentation so I can make a valid marketing choice when buying a
product. 

If the concern is that some people would like to have this feature
as-is, make it a checkmark decision on the Preferences page. Then both
sides are happy. 

The bigger issue isn't this particular bug. It's a symptom of more and
more companies, who when faced with a security problem just decide not
to fix it. I think that as long as the product is still expected to be
reasonably used, or unless a shorter warranty period is communicated, if
a security bug gets revealed, it should be fixed. Note, we're not
arguing how long they should have to fix it, but rather if they will fix
it ever.  That's the central issue. And it's one I'll personally
remember when purchasing my next Treo product. I may buy another Treo
product, I don't know, but this will absolutely be on my mind as I look
at competitor devices.

Roger

*******************************************************************
*Roger A. Grimes, Banneret Computer Security, Consultant 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*******************************************************************



-----Original Message-----
From: chgsupra1@xxxxxxx [mailto:chgsupra1@xxxxxxx] 
Sent: Wednesday, February 21, 2007 9:52 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: SYMSA-2007-002: Palm OS Treo Find Feature System Password
Bypass

I can understand why Palm does not want to fix it. This is my opinion,
it stems from feature richness: The initial state the phone is lock and
then you received a call, then it provides the user the ability to
search for contact/number/meeting/memo...etc (header/prefix only). If
this Find feature is blocked, then user would have to hang-up the call
and unlock the phone to retrieve the info, then call the user back.  I
have run into this situation on many occasion, since I did not know of
Find feature can be used in this mode.

The SecurityLockFindFix.prc is available to block the Find feature, but
for the non-security minded person flexibility may way overshadow
security, but that is a personal matter. There is no personal choice
when the Palm Treo is corporate own, so the fix should be applied.