A serious problem with the implementation of Exchange ActiveSync in the latest version of Apple’s iOS mobile operating system was addressed this week in an OS update.
Meanwhile, administrators were alerted by Blackberry that a flaw was discovered in its server software that could be exploited to run code on it remotely.
Apple’s update, version 6.1.2 of iOS, fixes a problem that occurs when a device accepts an exception to a recurring calendar event.
“When you respond to an exception to a recurring calendar event with a Microsoft Exchange account on a device running iOS 6.1, the device may begin to generate excessive communication with Microsoft Exchange Server,” Apple explained in a support advisory.
“You may notice increased network activity or reduced battery life on the iOS device,” it continued. “This extra network activity will be shown in the logs on Exchange Server and it may lead to the server blocking the iOS device. This can occur with iOS 6.1 and Microsoft Exchange 2010 SP1 or later, or Microsoft Exchange Online (Office365).”
Apple reacted quickly to the ActiveSync problem — for good reason. Two workarounds to the problem were recommended by Microsoft. One called for blocking the repeating MeetingResponse attempt using either a perimeter device rule or the URL Rewrite Module 2.0 for Internet Information Server 7 and 7.5, for Windows Server 2008 and Windows Server 2008 R2. That solution, though, didn’t work with all scenarios.
The second workaround was more drastic, and one that threatened Apple’s darling status among the BYOD crowd. Microsoft suggested blocking all iOS 6.1 and 6.1.1 users from accessing Exchange.
Another iOS flaw with security ramifications appears not to have been addressed by the update. It allows the lock screen on an iPhone to be bypassed, by going through a number of convoluted steps. Once it’s bypassed, an unauthorized user can access a phone’s contacts, voicemails and photos.
Breaking the lock screen can be done in a matter of seconds. It involves making an emergency call, canceling it immediately — all the while holding down the power button a few times.
Cracking into an iPhone so easily will not enamor the device with IT managers already concerned about data security on BYOD devices.
As far as security goes, Blackberry has a sterling reputation among IT managers, but it, too, had some vulnerability problems acknowledged last week.
What’s disturbing about the Blackberry flaw is it involves a novel way of infecting the company’s smartphones. According to the Blackberry advisory:
“Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server.
“Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.”
The flaw could be exploited in a couple of ways, according to Blackberry. A web page specially crafted to exploit the vulnerability could be created. Then the attacker would need to lure Blackberry phone users to the site through an infected link embedded in an instant message or email.
The second method involves a custom TIFF image sent to a Blackberry user through an email message or enterprise instant message. That attack is particularly pernicious.
“The user does not need to click a link or an image, or view the email message or instant message for the attack to succeed in this scenario,” the Blackberry advisory said.