In association with heise online

20 July 2009, 14:34

Patch for HTC smartphones

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

HTC has released a security patch for its HTC Touch Diamond, Touch Pro and Touch HD smartphones to fix a security vulnerability in a Bluetooth driver. The devices run Windows Mobile 6 and Windows Mobile 6.1.

The problem is caused by a directory traversing vulnerability in the Bluetooth OBEX FTP server, which allows an attacker to access files outside of the permitted directory. To achieve this, an attacker merely needs to insert one or more strings for switching to the parent directory in front of the path ("../" or "..\\"). This allows an attacker to upload files to a device or sniff out data.

The bug was discovered by Alberto Moreno Tablado earlier this year, but he initially assumed it was a bug in Windows Mobile. It subsequently became clear that the problem was in a HTC driver. According to Tablado, HTC was informed of the problem in February.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit