The MMS exploit available for Windows Mobile targets a vulnerability that has been reported more than a half a year ago, according to Symantec. Back in August 2006, Collin Mulliner from the Trifinite Group revealed that a malformed MMS message could permit an attacker to perform arbitrary code execution on a Windows Mobile device. Since then, Microsoft has failed to address the vulnerability, although Collin has confirmed the vulnerability and also released a functional exploit.

Ollie Whitehouse, a Symantec Security Response Researcher summarized the situation:

- There has been a publicly disclosed vulnerability for over six months now.
- There is no patch for this vulnerability.
- There is an exploit now out there.
- There is no easy way to patch the vulnerable devices due to the lack of auto updates (try explaining what a firmware update is to your parents).

As a firmware update from Microsoft is not available, Collin presented the following workarounds:

- WLAN notification flooding denial of service - Packet filter / firewall on phone.

- MMS message-based attacks (the SMIL exploit) - IDS / "AntiVirus" on phone - Mobile phone service provider based IDS / "AntiVirus."

- General SMS/MMS Service Provider Measures - Filter binary SMS that carry MMS Mnotification.ind.

According to Collin, a Windows Mobile user needs only to view a malicious message in order to allow for a successful exploit. Microsoft has failed to comment the situation in any manner.