What is the security issue that has been identified?
There is an unchecked buffer in the ArcSoft MMS Composer application preinstalled on certain mobile phones. This may allow an attacker to create a buffer overrun attack, causing malicious code embedded in an incoming MMS message to be executed.
What platforms are affected by the security issue?
ArcSoft MMS Composer running on devices with Microsoft Windows Mobile 2003 and Windows Mobile 5.0 software, including Smartphone and Pocket PC.
What is the severity of the issue?
If a device is compromised, it is possible to collect sensitive data on end user's device, cause data loss, or start network communication, etc. While the potential severity is critical, it is very difficult to exploit this vulnerability.
What is the risk that the vulnerability will be exploited by hackers?
A hacker with extensive knowledge of the Windows Mobile platform, MMS message structure and its encapsulation may be able to exploit the vulnerability. Based on the required knowledge in all of these technologies, the risk is reasonably remote.
What has ArcSoft done to resolve the issue?
ArcSoft has verified the issue, found the cause, resolved the issue, provided patches and done extensive regression testing for all affected versions released to our hardware partners.
What level of testing has been done to verify the patch update?
ArcSoft has conducted extensive testing on target devices. Regression testing was done to ensure the quality of the patch update.
What action does ArcSoft recommend for end-users to resolve the issue?
Obtain the patch update as soon as possible and apply it.
How can end-users obtain the patch?
Via the hardware manufacturer or cellular service provider.
If I have further questions who do I contact?
Please contact your hardware manufacturer or cellular service provider.
If I download and install what will happen to my device?
It is likely the device will be reset to factory defaults. You should back-up your data before applying the patch, and then restore the data after applying it. Carefully follow the installation instructions from the hardware manufacturer or service provider to apply the patch.
Must I backup my mobile phone before I apply the patch?
Yes. It is always recommended to backup your data before applying any patch update.