WebOS 1.2 Fixed A Serious File Security Issue 16
The webOS 1.2 update brought many much-appreciated new features, updated old features and software bug fixes. Of course, there are also a few issues to deal with (especially when it comes to Exchange), but overall most users are enjoying the update.
There is one one interesting, rather nondescript, mention on the 1.2 changelog:
Security
This release addresses several security issues with Palm webOS software.
We would like to thank Townsend Ladd Harris for his help in identifying some of the issues addressed in this release.
Townsend Ladd Harris runs this computer security blog and has reported several security issues with the WebOS in previous versions. What he found in 1.1 was pretty serious.
The security issue in question concerned the email application and malicious code in emails. Essentially an email with malicious code could provide remote access files on the WebOS device. Harris has even gone so far as to demonstrate the process in this flash video, showing how potentially devastating this malicious code could be; all your emails and contacts snatched simply by opening a malicious email.
In other words - thank heavens for webOS 1.2. If you're holding off on updating (or have downgraded back to 1.1 because of Exchange compatibility), we're thinking it's safer to get your Pre up to date.
Special thanks to Townsend Ladd Harris
16 Comments
It might be safer, but if you depend on Exchange email for work it's not an option. Really, how serious a target is the Pre for hackers? Not very, at this point. I'm not saying the bug shouldn't have been fixed, but the reality is that even if you're still at 1.1 your risk is extremely low.
OTOH, I think it's unacceptable that Palm released a patch the broke existing functionality. Do these guys understand what software testing is supposed to be? Have they heard the term "regression testing"? Serious FAIL, boys.
My Exchange for email, calendar, and contacts works great with 1.2. My Pre buzzes when I get an email about 3-5 seconds before my Outlook gets it. It's likely an Exchange configuration issue.
I'm sure they did test it, and it worked fine when they did. It works fine for me and many other folks working with Exchange. It breaks on *some* Exchange servers only, so it's a configuration issue. It's unreasonable to expect they tested it with every possible configuration of exchange.
If it broke every Exchange server it would be a Fail. It didn't. Most corporate ones seem fine from the reports. Does it suck for those who it broke for? Yes. But I'm sure Palms has guys working on it to figure out what configurations on Exchange are raising the issue.
I work for a corporation of 3000+ employees with Exchange 2007. The syncing has been working perfectly since WebOS 1.0 thru 1.1. Any of our employees who have upgraded their Pre to 1.2 has had EAS fail immedietly after the upgrade.
Our IT department will not change any of the Exchange policies. Like most IT departments ours does not and will not make changes to support any particular phone. I understand their position as that can quickly become a support nightmare. One Exchange policy for all is the lowest cost / lowest risk option. All of my fellow employees using iPhones, G1s, and Palm Pres with 1.1 all work.
I have also seen comments that this is not a wide-spread problem. What is that based on? Certainly not on any empirical data. Anecdotally it seems to me the opposite, that a large number of folks are posting comments on the articles and forums here on precentral as well as palm's own official support forum. I guess if it affects you personally it seems larger, and if it doesn't it seems smaller.
I have logged a ticket with Palm Tech support. Everyone should call them if for no other reason but so they can have accurate statistics as to how wide-spread the problem is.
Some perspective for you: A single forum or even 2 or 3 forums only represents a very small portion of everyone who owns a pre. Precental has 64,585 users at the time of writing this. Now consider only a fraction of those are reporting the issue. Even if we assume half of them are (which is a huge exaggeration) That is only 3% of everyone who owns a pre. So now looking to reality the number of pre owners who are effected by this exchange issue is less than 3% Probably closer to 1% than 3%. This while a big deal for those effected, but in the whole picture it would have been easy to over look a configuration that such a small amount of people are using. So obviously it is a rare way or using exchange they may not even known about to test.
You're assuming that everyone experiencing a problem is posting on a forum.
Whether the risk posed by an exploit is low or not, Palm should stay focused on fixing it. Too much is at stake and they've come too far to get tripped up by security. What they don't need right now is to get labeled as an "insecure" platform. They are building their new reputation in the mobile world. Their message should be "we take security very seriously" in word and deed.
First I would like to thank Precentral for posting the article, very cool! The vulnerability is definitely interesting and does have a few caveats when it comes to binary data, but serious nonetheless. I would also I like to say that the Palm WebOS security team has been great to deal with and are very eager to fix all the bugs I send their way and pretty quickly I might add. Overall they have been the best vendor in regards to security issues I have ever dealt with. The full details on the issue will be released on my blog once enough people have patched to WebOS 1.2
My take on the whole risk issue is that to me, any vulnerability in any system I use is an issue regardless of how high on the totem pole you are. One day you will/could get hit, mind as well fix as many as we can now and take them away from the bad guys later on =p
As far as exchange, I use it and as of today I have no issues.
Again thanks to Precentral for the article.
-Townsend Ladd Harris
I think the aversion to upgrading to 1.2 is unwarranted.
My phone is rooted and heavily modified and it runs absolutely fine. I still have Preware, Terminal, SSH access, Tethering as well.. all never skipped a beat
I also have gmail, exchange, and my google talk and aim accounts in there. Everything working perfectly.
(aside from being affected by the Palm profile server being down, but I'm all good now)
My phone runs better than ever.
The aversion is warranted if it affects you.
I have to agree with most posts in this blog. My Pre along with my EAS IS WORKING LIKE A FINELY TUNED MACHINE! After update 1.2 my Pre is absolutely fabulous. The UI really is much quicker now and the way the phone manges web pages is awesome. All I can say is WOW! Keep up the excellent work Palm. WEBOS will catch fire and when it does ...WATCHOUT!
Those that keep saying that their Exchange is working wonderfully must not be using SSL. SSL for 1.2 is broken and appears to have not been tested at all before Palm released it. I think it is a MAJOR fail on Palms part and a fix should be released IMMEDIATELY and not wait for 1.2.1 to be released.
I am an exchange admin and I am utilizing SSL with eas. I upgraded to 1.2 on my pre on day one. I connect to my exchange account with out issue.
great article and the video is awesome thanks Townsend Ladd Harris
I work at a company which has extreme security settings on Exchange. When I had my Mogul it would time-out in less than 5 secs. of inactivity. I couldn't even carry on a very fast responding text. I uninstalled and started going in through the web it was so bad. I have not tried it on the Pre at all because I didn't believe it would work with our settings. But my question is this. Say 1.2 does break EAS, and you down grade to 1.1. Then a Virus does somehow happen to steal your work information, customer info stored, etc,. Being that you chose to continue using an unpatched device how much trouble would you be in. Not at all worth the risk. Use the back door until it is fixed! Thanks Townsend!
There was a lot of bugs in this OS. I am so glad for the updates and fixes for this. My main concern was the security issue.
new york mesothelioma lawyer