It is now been proven possible to spread malware via MMS messages from device to device rather than via a PC.
Colin Mulliner, after waiting for six months for a reply from Microsoft about his findings, published proof-of-concept exploits of MMS vulnerabilities on 29 December at the 23rd Chaos Communication Congress in Berlin.
According to security firm F-Secure, the exploits target bugs in the SMIL presentation control language, whatever that means. The bottom line is that it is possible for a rigged MMS message to execute code on a mobile device.
Collin's research found that the HP IPAQ 6315 and the i-mat PDA2K have the vulnerability, but F-Secure says it's “quite likely” that all Pocket PC 2003 and Windows Smartphone 2003 are vulnerable as well.
It's not easy for a hacker to exploit the flaw, as he or she has to guess the correct memory slow where the MMS processing code is executing to send the exploit code successfully, so the security researcher say that a malicious MMS will likely only be able to crash the device.