A few very important updates that need to be applied! Hopefully we’ll get another update here in the next couple months with features instead of security patches!

I can understand Apple’s need to release patches for the Safari App.. afterall, it is a full fledged browser. Can Windows Mobile IE say that? :O

Safari

CVE-ID: CVE-2007-2400

Available for: iPhone v1.0

Impact: Visiting a malicious website may allow cross-site scripting

Description: Safari’s security model prevents JavaScript in remote web pages from modifying pages outside of their domain. A race condition in page updating combined with HTTP redirection may allow JavaScript from one page to modify a redirected page. This could allow cookies and pages to be read or arbitrarily modified. This update addresses the issue by correcting access control to window properties. Credit to Lawrence Lai, Stan Switzer, and Ed Rowe of Adobe Systems, Inc. for reporting this issue.

Safari

CVE-ID: CVE-2007-3944

Available for: iPhone v1.0

Impact: Viewing a maliciously crafted web page may lead to arbitrary code execution

Description: Heap buffer overflows exist in the Perl Compatible Regular Expressions (PCRE) library used by the JavaScript engine in Safari. By enticing a user to visit a maliciously crafted web page, an attacker may trigger the issue, which may lead to arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript regular expressions. Credit to Charlie Miller and Jake Honoroff of Independent Security Evaluators for reporting these issues.

WebCore

CVE-ID: CVE-2007-2401

Available for: iPhone v1.0

Impact: Visiting a malicious website may allow cross-site requests

Description: An HTTP injection issue exists in XMLHttpRequest when serializing headers into an HTTP request. By enticing a user to visit a maliciously crafted web page, an attacker could trigger a cross-site scripting issue. This update addresses the issue by performing additional validation of header parameters. Credit to Richard Moore of Westpoint Ltd. for reporting this issue.

WebKit

CVE-ID: CVE-2007-3742

Available for: iPhone v1.0

Impact: Look-alike characters in a URL could be used to masquerade a website

Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious web site to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by through an improved domain name validity check.

WebKit

CVE-ID: CVE-2007-2399

Available for: iPhone v1.0

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: An invalid type conversion when rendering frame sets could lead to memory corruption. Visiting a maliciously crafted web page may lead to an unexpected application termination or arbitrary code execution. Credit to Rhys Kidd of Westnet for reporting this issue.

I hope Apple doesn’t leave the iPhone this way.  It’s too important for IT people to know the phones with their corporate data are safe. You only have to look at CNN any given week to see all the ways that corporate data ends up leaving the office and becomes susceptible.

IMAP is *NOT* a long term solution for Corporate America.  Its fine for your home email, but not your work.

If you do use IMAP with your iPhone, make sure its at least IMAP/SSL.  This is supported with Exchange 2003 and Exchange 2007.

One employee in our office got the iPhone the day it came out, without any warning to us IT folks ;), and we had to open IMAP/SSL for him.  It’s working fine for him, but lack of push or calendaring is limiting, but its better than nothing.

There has been a lot of speculation about the iPhone and its abilities to connect to Microsoft Exchange Server. For instance, Wall Street Journal columnist Walt Mossberg mentions in his June 26 All Things Digital column that, “It [the iPhone] can also handle corporate email using Microsoft’s Exchange system, if your IT department cooperates by enabling a setting on the server.”

Technically this is correct, as today iPhone users can connect to Microsoft Exchange using IMAP.  There are, however, some significant differences in the mobile device experience and IT professional capabilities supported by IMAP on the iPhone and those enabled by Exchange ActiveSync (EAS) for compatible devices.  EAS is a protocol that provides rich messaging experiences for over 200 different smartphones right out of the box.  These smartphones include Windows Mobile devices as well as phones from a broad range of 3^rd parties including Helio, Motorola, Nokia, Palm, Sony Ericsson and others.

Comparing IMAP and EAS at a high level: IMAP provides an adequate mobile email experience (but is subject to some important limitations), whereas EAS provides a more secure, complete companion experience to Outlook and Outlook Web Access (OWA) for the mobile device.  To better understand this comparison, let’s look at IMAP on the iPhone and EAS in a bit more detail from several perspectives:

1. Mobile email
2. The mobile experience beyond email
3. Security

IMAP enables an adequate mobile email experience; EAS enables the additional pieces that make mobile email great

Both IMAP and EAS give the mobile client the capability to read email with rich html formatting, and view their inbox as well as subfolders of their inbox and reply/reply-all/forward/compose email (technically, the iPhone uses SMTP to send email.  SMTP for outbound email is configured along during IMAP/Exchange account setup on the device).

EAS also supports capabilities for:

• Direct Push, which provides an up-to-date messaging experience designed for mobile networks
• Email flagging to improve the triage experience on the device
• AutoDiscover to simplify the process of setting up a new device over-the-air
• Server-side logic to preserve the formatting of rich email on reply/forward if the mobile client doesn’t support rich html editing (most don’t)
• Numerous bandwidth optimizations to reduce data charges and improve battery life

EAS enables a rich collaboration experience beyond email

A significant part of the Exchange user experience goes beyond email.  The IMAP protocol only supports email.  EAS is designed to enable a great over-the-air companion experience to Outlook and OWA and supports many facets of Exchange beyond email, including:

• Contact synchronization - view, create and update contacts
• Calendar synchronization - view, create & update appointments, schedule meetings, and accept/decline/propose new time for meeting requests
• Global Address List (GAL) lookup - look-up users in your corporate directory
• Tasks synchronization
• Out-of-office (OOF) email responses - turn on/off and change the OOF message directly from your mobile phone
• Access to documents stored in Sharepoint document libraries and UNC shares
• Search your entire mailbox on the server regardless of what’s cached on the mobile phone
• Allowing users to manage their mobile device(s) using OWA - see device activity, help retrieve forgotten PIN, remotely wipe lost device, etc

EAS and IMAP both secure data on the network; EAS also protects data once it’s on the device

From an IT department’s perspective, this is a highly important distinction between IMAP and EAS.

Both IMAP and EAS allow IT to ensure data and credentials are protected on the network by encrypting them via SSL.

Many IT departments require support for additional security measures to protect data on the device as well (not just over the network) to guard against loss or theft before they are willing to let users connect to Exchange from the Internet using a given protocol.  Only EAS addresses this requirement by enabling IT to implement and enforce security policies that protect the data once it’s on the device. There are a number of these policies supported by EAS today and we continue to add more, some key examples are:

• Requiring a PIN lock on the device
  • IT also has a number of controls dictating the strength of the PIN, timeout, etc. as well as the ability to recover forgotten PINs
• Local and Remote Wipe
  • IT can require that the device erases all data (including data on the SD card) in the event that (1) the PIN is incorrectly entered an IT-specified number of times or (2) IT or the user issues a remote wipe command from the admin console or OWA.
• Blocking attachment download to the device
• Limiting which Sharepoint libraries / UNC shares the user can access

Because IMAP does not support these security policies, many IT departments have decided not to enable mobile device (or any Internet client) access to email via IMAP. EAS on the other hand is seeing increasingly broad adoption by IT departments.

Summary

Microsoft Exchange does have IMAP support that provides for an adequate email experience. The iPhone can access email via IMAP if the IT department has enabled IMAP connectivity for users.  However, IMAP has limitations from both an IT and user standpoint with respect to security and richness of experience that prevent it from being a complete solution for mobile device access to Microsoft Exchange.

Exchange ActiveSync on the other hand provides a very rich email and collaboration experience for end-users as well as support for the important security measures needed for IT.

Feature

Exchange ActiveSync

IMAP4

IMAP client for iPhone

Email

Push Email

Yes

Yes (through IDLE command)

No – pull email only

HTML email formatting

Yes

Yes

Yes

Attachment download

Yes

Yes

Yes (view only)

Search

Yes

Yes

No

Calendar

Calendar Sync

Yes

No

No

Accept/Decline meeting requests

Yes

No

No

Contacts

Contact Sync

Yes

No

No

Global Address List (GAL) lookup

Yes

No

No

Tasks

Task Sync

Yes

No

No

Out of Office

Out-of-office (OOF) email settings

Yes

No

No

Document Access

Fileshare (SMB) and/or Sharepoint Document Library Access

Yes

No

No

Security

Enforce security policies to protect data on device

Yes

No

No

* All were tested using Exchange Server 2007

- Paul Limont

Mobile Device Connectivity to Exchange using IMAP vs Exchange ActiveSync

I kept getting MSExchange ActiveSync 1040 warning events on many client’s Exchange servers (2003 and 2007).  The event itself sent me to http://support.microsoft.com/kb/905013 (thanks Microsoft, that does help!) which pointed to a firewall issue.

Since we are using Cisco routers at these sites, I did a quick Google and turned up nothing.  Darn, time to hit the books

I threw the following command in to modify the timeout in the CBAC inspect of HTTPS.  I set the timeout to 10 minutes.

ip inspect name <inspectname> https timeout 600

So far the warning event hasn’t shown back up…

My Windows Mobile 5.0 phone (Treo 700wx) came with a PDF Reader. But others in our office were not so lucky with their phones.

I use the desktop version of Foxit PDF Reader and it works great. Here is the link to the Windows Mobile version - and its free!

http://www.foxitsoftware.com/pdf/mobile/winmobile.htm