SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Microsoft ActiveSync Vendors:   Microsoft
Microsoft ActiveSync Software for Portable Computing Devices Allows Portable Devices to Access Files on a Locked Server
SecurityTracker Alert ID:  1001330
SecurityTracker URL:  http://securitytracker.com/id/1001330
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 17 2001
Impact:   Disclosure of user information

Version(s): 3.1
Description:   It is reported that Microsoft's ActiveSync allows users with portable computing devices to access files on the host when the host has been locked.

Microsoft ActiveSync can reportedly access files (e.g., Outlook appointments, contacts, synchronized files) from a Windows 2000 workstation even though the workstation has been locked. A local user can drop the portable computing device into the dock or can hook it up to the COM port and the device will sync and download data from an ostensibly locked workstation.

The author reports testing this with Microsoft Windows 2000 Professional (build 2195) w/ SP1 and with Microsoft ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows PocketPC (CE v 3.0.948 Build 9357)

The vendor has reportedly been notified.

Impact:   A local user with an appropriate portable computing device can sync with the Windows host and obtain files when the host is locked.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.microsoft.com/technet/security/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Microsoft Makes Interim Response) Re: Microsoft ActiveSync Software for Portable Computing Devices Allows Portable Devices to Access Files on a Locked Server
The vendor makes some interim comments on this reported vulnerability.



 Source Message Contents

Subject:  ActiveSync can access a locked workstation w/o unlocking


Microsoft was notified on 3/28/2001, you may use my name when publishing
this. I cannot register on your site, so I am trying the general e-mail
addresses.

Platforms tested:
===================================================
Microsoft Windows 2000 Professional (build 2195) w/ SP1
Microsoft ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows
PocketPC (CE v 3.0.948 Build 9357)

Issue:
===================================================
MS ActiveSync can access files (Outlook appts, contacts, synced files, etc)
from a Win2K workstation even though the workstation has been locked.  By
simply dropping the HP into the dock, or hooking it up to the COM
port(depending on which sync method is configured), it will sync and
download data from a "locked" workstation. Yikes!

Jeffrey A. Samples,
Vice President, Product Development
TERRADON Communications Group
<http://www.terradoncommunications.com/>
ph. - 304.755.1324
fx. - 304.755.8274

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC