It certainly isn't an ideal situation. Phone manufacturers and carriers want to sell phones and airtime, so security...
is probably not among their top concerns. As you say, one must wait for the phone manufacturer or carrier to make any Microsoft updates available before downloading and installing them. The process for Windows Mobile updates is quite a contrast compared to the Microsoft automatic update service available for regular PCs.
For my own phone, I had to hunt for my provider's upgrade page and the instructions were less than clear: "Stay up to date by downloading the latest upgrade for your Windows Mobile device. Depending on your handset model, this upgrade may include new and important features…." There was no clear explanation as to how important the update was or what issues it fixed. Keeping secure should be made as easy as possible; this wasn't.
There are signs, based on recent job postings and Internet gossip, that Microsoft's Windows Mobile 7 operating system will be capable of updating itself over the air (OTA). Unfortunately, current indications are that version 7 won't be ready until 2010. Hopefully the planned Windows Marketplace for Mobile will be up and running sometime this year. It will be a central point of access for new software and updates across all the Windows Mobile handsets, so you will at least be able to get your updates directly from a Microsoft portal.
Mobile devices of any type are often a weakness within enterprise security. For some reason they tend to fall outside the scope of regular security assessments and audits, even though the security risks are very similar to those of laptop computers. As mobile phones become more like mini PCs, they will need similar add-on security tools and patch processes to keep them safe.
For administrators trying to lock down these devices, there are security tools for Windows Mobile which can provide additional security in much the same way as desktop security suites do for regular PCs. Products include the likes of Symantec Corp.'s Mobile Security Suite, Kaspersky Lab Inc.'s Mobile Security, Airscanner Corp.'s Mobile Supreme Security, PGP Corp.'s Mobile encryption and Bluefire Corp.'s Mobile Security Enterprise.
Dig Deeper on Security patch management and Windows Patch Tuesday news
Related Q&A from Michael Cobb
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
QuickTime for Windows was found to have two zero-day vulnerabilities, and was then suddenly moved to end of life by Apple. Expert Michael Cobb ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.