Home : Networking : News

Microsoft push email security questioned

US analyst report highlights concerns over Windows Mobile and Exchange support for push email, but UK analysts downplay the issue.

By Guy Matthews, 1 Nov 2006 at 12:20

gallery

A report attacking Microsoft for a lack of security in its mobile push email platform may be unfairly critical, says a UK analyst.

US-based analyst Jack Gold of J. Gold Associates published a report last week which faults Microsoft for the way it implements the push function in its Windows Mobile 5 operating system.

The report, called Microsoft's Direct Push Insecurity, alleges insecurities in the recently upgraded mobile messaging software. The 'flaws' specifically identified in the report relate to the code which updates data wirelessly between Microsoft Exchange and the mobile client. The so-called AirSync code that sits on the client can leave the device's data unencrypted, says Gold.

"The current version of AirSync can only do a file synch of specifically formatted datasets that meet certain Microsoft data requirements," says Gold in the report. "This means that any transfer of data, from Exchange Server to Pocket Outlook, for example, must be done in an unencrypted file state."

Microsoft itself has yet to respond to the criticism, but some analysts are already expressing doubts about how much risk the potential flaw represents.

"I'd say that this is an anomaly that Microsoft needs to address rather than a full blown crisis," says Rob Bamforth of consultancy Quocirca. "Whenever a product gets more complex, then there are bound to be a couple of minor security consequences in the short term. I'd say in general that there's a huge step change in robustness between the old and new versions of Microsoft's mobile platform."

The feedback that Quocirca has been getting from end users on Microsoft and its recent spate of security controversies suggests that the vendor is heading in the right direction, says Bamforth.

"Microsoft has got better at dealing with security issues more quickly," he said. "In any case it's not always easy to pinpoint whether a particular problem is the fault of the wireless technology, the device itself or the transport mechanism. Microsoft's security vulnerabilities are an easy bandwagon to jump on."