CVE-2007-5460

Name of the Vulnerable Software and Affected Versions: Microsoft ActiveSync version 4.1

Description: The issue concerns the use of weak encryption, specifically XOR obfuscation with a fixed key, when sending the user's PIN/Password over the USB connection from the host to the device. This might make it easier for attackers to decode a PIN/Password obtained by either sniffing or spoofing the docking process.

Recommendations: For Microsoft ActiveSync version 4.1, consider disabling the use of USB connections for sending sensitive information like PIN/Password until a more secure encryption method is implemented. Restrict access to the docking process to minimize the risk of spoofing. Avoid using the PIN/Password variables in the affected connection process until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.