Microsoft's Pocket PC 2002 software does not address critical security issues and could make sensitive corporate data stored on PDAs (personal digital assistants) and desktop PCs vulnerable to theft and loss, market analyst Gartner has warned in a recent research note.
Companies that use Pocket PC-based devices should turn to third-party products to protect their data, the research note said.
Microsoft officials contested the accuracy of Gartner's analysis of Pocket PC's security. "Gartner mistakenly blames the Pocket PC for potential security breaches that are in reality related to insecure usage of desktop PCs," said Microsoft spokeswoman Bridget Yau.
Improving security has been a major focus for Microsoft since January, when the Redmond, Washington, company's chairman and chief software architect, Bill Gates, said building an environment of "trustworthy computing" should be Microsoft's top priority, eclipsing the addition of new features to its product line.
But while Microsoft has put the security of many of its flagship products, such as the Windows operating system, Office and Visual Studio .Net, under the microscope, Pocket PC is not yet part of its Trustworthy Computing initiative and ignores critical security issues which will not be addressed until the release of the next version of the software, expected in 18 to 24 months from now, Gartner said.
Security shortcomings associated with Pocket PC are slowing adoption of handhelds based on the software by many companies, the research note said.
Among the vulnerabilities that Gartner's research note identified with Pocket PC, the default setting does not require a password, and passwords and the password policy cannot be synchronised with a desktop PC. In addition, configuration settings of Pocket PC-based devices cannot be secured and when the system is reset all settings are lost.
Yau disputed whether a Pocket PC device can be easily installed on a computer and used to download data from applications such as Outlook, calling Gartner's claim "incorrect".
"A Pocket PC cannot be installed onto a password-protected PC without using the PC's password to secure access," she said.
Other areas of vulnerability
- The ability to install a Pocket PC device on a desktop PC without requiring a password, which gives the device the ability to access data in Outlook, as well as other applications- Users cannot encrypt files with the Crypto API (application programming interface) that is included in Pocket PC- No security is provided for removable storage devices, such as memory cards- The software lacks policy features that could be used to restrict a user's ability to run applications on a Pocket PC-based device.
