The proof-of-concept code takes advantage of a flaw in the Synchronised Multimedia Integration Language (SMIL) in MMS messages, which is vulnerable to buffer overflows.
According to Mulliner's presentation, the user only needs to view the MMS message to trigger the exploit he developed.
Mulliner tested his exploit on the IPAQ 6315 and i-mate PDA2k, and researchers believe that all Pocket PC 2003 and Microsoft Windows Smartphone 2003 devices could be susceptible to the same type of attack.
However, the risk from this particular PoC code is likely limited, experts said.
"While Collin's discovery is very significant, it does not pose immediate danger to any large group of users," wrote researcher Jarno Niemela on F-Secure's blog.
"The only devices for which the proof-of-concept code is available are the IPAQ 6315 and i-mate PDA2k. And even in those devices, the attacker needs to guess the correct memory slot where the MMS processing code is executing and send correctly crafted exploit code. This means that a malicious MMS message will most likely only be able to crash the device, not exploit it."
Nevertheless, Niemela and other security experts encouraged users to update their firmware regularly to ensure their devices are patched.
Click here to email West Coast Bureau Chief Ericka Chickowski.
.png&h=140&w=231&c=1&s=0)
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
