Security Flaw Found in Smartphone Software

Microsoft and mobile phone operator Orange are working to patch a security bug that affects the first mobile phone to use Microsoft's Windows Powered Smartphone software, Orange said Thursday.

The SPV phone, launched in October and sold by Orange in several European countries, can run downloadable applications. It was designed to only run certified applications, in order to protect customers against rogue code. However, details on how to disable this security feature have become public, allowing the installation of applications that have not been certified, Orange said in a statement Thursday.

Culprits are SPV users and software developers who were upset with the block on running third-party applications. They came up with a way to undo that protection and posted instructions in online discussion forums on software development for smart phones like the SPV.

Microsoft and Orange have investigated the issue and will provide a security update as soon as possible to solve it, Orange said. Users will be able to download this update through the Orange Update application on their SPV, the Paris mobile operator said.

Low Risk

The procedure to unlock a phone involves manually editing two files on the phone using a PC and the synchronization software, according to one set of instructions found online. Because changes have to be made directly on the phone to be able to bypass the security, Orange said it does not see the issue "as posing any risk to the security" of SPV users.

Orange calls on developers who want to create applications for the SPV to go through the certification process. The company will launch a Web site for SPV developers at the end of February, according to the statement.

The SPV runs Microsoft's Windows Powered Smartphone software and is a mobile phone with PDA features. The software is based on Microsoft's Windows CE 3.0 operating system and includes a Web browser, e-mail and instant messaging clients, an address book, and a media player.