18 February 2010

Two Vulnerabilities Within Activesynch, Microsoft's Sychnchronization Program Between The Pc And Mobile Devices

18 Feb, 2010

Name of risk:

Manufacturer (if relevant):
Microsoft Corp.


ActiveSync is a synchronization program developed by Microsoft. It allows a mobile device to be synchronized with either a desktop PC, or a server running FirstClass Collaboration Suite, Microsoft Exchange Server, PostPath Email and Collaboration Server, Kerio MailServer, Zimbra or Z-push. Only Personal information manager (PIM) data (Email/Calendar/Contacts) may be synchronized with the Exchange Server. (Tasks may also be synchronized with Exchange Server on Windows Mobile 5.0 devices.) The PC synchronization option, however, allows PIM synchronization with Microsoft Outlook, along with Internet "favorites", files, and tasks, amongst other data types. Supported mobile devices include PDAs or Smartphones running Windows Mobile, or the Windows CE operating system, along with devices that don't use a Microsoft operating system, such as the Symbian and iPhone platforms. ActiveSync also provides for the manual transfer of files to a mobile device, along with limited backup/restore functionality, and the ability to install and uninstall mobile device applications.

At a special iPhone SDK launch event on March 6th, 2008, Apple announced that it would use ActiveSync technology to allow for synchronization between iPhones and Microsoft Exchange Server.

Alternative software that allows mobile devices to synchronize non-Microsoft PIMs with a PC is also available; such as FinchSync and BirdieSync for Thunderbird, or Intellisync.

Starting with Windows Vista, the latest release of the Windows operating system, ActiveSync has been replaced with the Windows Mobile Device Center.

The software is free to download from the Microsoft ActiveSync website. Support is usually provided by the device manufacturer and the cost for that support depends on its policy.


Two vulnerabilities were identified in Microsoft ActiveSync (version 3.7.1 and prior), which could be exploited by remote attackers to disclose sensitive information or cause a denial of service.

The first issue is due to a design error when sending authentication responses, which could be exploited by attackers to enumerate valid equipment IDs by sending specially crafted requests to port 5679 and examining the responses.

The second vulnerability occurs when numerous attempts are made to initialize with ActiveSync (port 5679/TCP), which could be exploited by remote attackers to cause a denial of service.

Microsoft ActiveSync 4.1, as used in Windows Mobile 5.0, uses weak encryption (XOR obfuscation with a fixed key) when sending the user's PIN/Password over the USB connection from the host to the device, which might make it easier for attackers to decode a PIN/Password obtained by sniffing or spoofing the docking process.

Systems Affected:
Microsoft Windows.

Level of risk:
Less Critical (2).

Type of threat:
Denial of service attacks, Sniffing.


AbhiShek SinGh
Founder of 'TheHackingArticles'. Cyber Security Analyst, Cyber Security Researcher, and Software Engineer. Follow 'AbhiShek SinGh' on Facebook , Twitter or Google+ or via Email

Subscribe to stay up to date