-----BEGIN PGP SIGNED MESSAGE----- Hi Jeff, We've checked our records, but are unable to find any record of a mail from you to the Security Response Center. If you did indeed send to secureat_private, could you send us a copy of the mail to assist us in troubleshooting? In regards to the behavior you described, there are three points that are particularly important to keep in mind: 1. The desktop will only synchronize with a Pocket PC if a partnership has previously been created, and a partnership can only be created from the desktop side -- one can't be created by a Pocket PC. 2. If a PIN has been selected for the Pocket PC, an attacker would be unable to obtain any information from the device, regardless of whether it had been synchronized. 3. Even if an attacker obtained a Pocket PC for which a partnership already had been created, and knew the PIN for the device, he or she could only use it to obtain information from the desktop if ActiveSync had been configured to automatically synchronize anytime a device is connected. We'd like to make sure we've investigated the report fully. If you have seen cases outside of the above parameters, please let us know immediately and we'll begin an investigation. Best regards, Alex Uy Security Program Manager Microsoft Security Response Center - -----Original Message----- From: Jeff.Samples [mailto:Jeff.Samplesat_private] Sent: Monday, April 16, 2001 5:06 AM To: BUGTRAQat_private Subject: ActiveSync can access a locked workstation w/o unlocking Microsoft was notified on 3/28/2001, you may use my name when publishing this. I cannot register on your site, so I am trying the general e-mail addresses. Platforms tested: =================================================== Microsoft Windows 2000 Professional (build 2195) w/ SP1 Microsoft ActiveSync 3.1 (tested using HP Jornada 540 Series running Windows PocketPC (CE v 3.0.948 Build 9357) Issue: =================================================== MS ActiveSync can access files (Outlook appts, contacts, synced files, etc) from a Win2K workstation even though the workstation has been locked. By simply dropping the HP into the dock, or hooking it up to the COM port(depending on which sync method is configured), it will sync and download data from a "locked" workstation. Yikes! Jeffrey A. Samples, Vice President, Product Development TERRADON Communications Group <http://www.terradoncommunications.com/> ph. - 304.755.1324 fx. - 304.755.8274 -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOttX3I0ZSRQxA/UrAQFthAf+PCus+UwNxYMiKN4o0wQs7a9qVQgKNT1q 0tBzXIpEl4xP+jhTBjKUNsxd7qawNrNL1U9om86Uqv2k67LdcfSyK6TexRBKXQuv jPUqDJs/U8kyq6gu4sbGcDM0brnX12JyyBHO98yU36Cyz6+LSgHUMM9ACIGMEbUN I9na5qAWjROtd5V25L9dgj2BT32b7wXlCccBjXdqPiDDRTbgV1DMTTo5+ORYQIP8 1ymFPa/PhyxXVQ7cLT7RLknPwKXhGJDk7+K9lblfVR7lEmHzY5OEqGtRUbY4q31B 1L47a1W5S+R/Iufc+UUDi0dQpE6lg5O9dGoaFo6lNcFxe4LG1nPsRA== =I4p2 -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Tue Apr 17 2001 - 00:47:47 PDT