Skip to main content

Windows Phone Certificate Validation Vulnerability

Last Update Date: 19 Sep 2012 10:35 Release Date: 19 Sep 2012 5039 Views

RISK: Medium Risk

TYPE: Operating Systems - Mobile & Apps

TYPE: Mobile & Apps

A vulnerability has been identified in Windows Phone 7,  a remote user can spoof secure e-mail servers in certain cases.

 

The software does not validate Common Name (CN) values of mail server SSL certificates when sending or retrieving email via POP3, IMAP, and SMTP.

 

A remote user with the ability to conduct a man-in-the-middle attack between the target e-mail server and the target phone device can spoof the secure e-mail server to access the encrypted session.

 

NOTE: No official solution is currently available


Impact

  • Spoofing

System / Technologies affected

  • Windows Phone 7

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • NOTE: No official solution is currently available


Vulnerability Identifier


Source


Related Link