It certainly isn't an ideal situation. Phone manufacturers and carriers want to sell phones and airtime, so security is probably not among their top concerns. As you say, one must wait for the phone manufacturer or carrier to make any Microsoft updates available before downloading and installing them. The process for Windows Mobile updates is quite a contrast compared to the Microsoft automatic update service available for regular PCs.
For my own phone, I had to hunt for my provider's upgrade page and the instructions were less than clear: "Stay up to date by downloading the latest upgrade for your Windows Mobile device. Depending on your handset model, this upgrade may include new and important features…." There was no clear explanation as to how important the update was or what issues it fixed. Keeping secure should be made as easy as possible; this wasn't.
There are signs, based on recent job postings and Internet gossip, that Microsoft's Windows Mobile 7 operating system will be capable of updating itself over the air (OTA). Unfortunately, current indications are that version 7 won't be ready until 2010. Hopefully the planned Windows Marketplace for Mobile will be up and running sometime this year. It will be a central point of access for new software and updates across all the Windows Mobile handsets, so you will at least be able to get your updates directly from a Microsoft portal.
Mobile devices of any type are often a weakness within enterprise security. For some reason they tend to fall outside the scope of regular security assessments and audits, even though the security risks are very similar to those of laptop computers. As mobile phones become more like mini PCs, they will need similar add-on security tools and patch processes to keep them safe.
For administrators trying to lock down these devices, there are security tools for Windows Mobile which can provide additional security in much the same way as desktop security suites do for regular PCs. Products include the likes of Symantec Corp.'s Mobile Security Suite, Kaspersky Lab Inc.'s Mobile Security, Airscanner Corp.'s Mobile Supreme Security, PGP Corp.'s Mobile encryption and Bluefire Corp.'s Mobile Security Enterprise.
Dig Deeper on Microsoft Patch Tuesday and patch management
Related Q&A from Michael Cobb
Explore the differences between symmetric vs. asymmetric encryption algorithms, including common uses and examples of both, as well as their pros and... Continue Reading
Pirated software is still a major concern nowadays. Uncover how to prevent software piracy and protect your organization's intellectual property. Continue Reading
Shellcode is a set of instructions that executes a command in software to take control of or exploit a compromised machine. Read up on the malware ... Continue Reading