Both vulnerabilities affect the Zaurus SL-5000D and SL-5500. The first security hole could allow a remote attacker to gain complete control of the handheld and, potentially, give that attacker access to a corporate network.
The vulnerability is the result of the handheld not authenticating users for the FTP (File Transfer Protocol) service it uses to connect with desktop computers, the researchers said. This lack of authentication leaves the handheld open to complete compromise, according to Steve Chapin, an associate professor of electrical engineering and computer science at Syracuse, and one of the researchers who announced the flaws.
This vulnerability is particularly serious because the Zaurus, which runs Linux, "has the same functionality as a desktop or server system, in a much smaller box", said Chapin.
Because of this, "oncean attacker has compromised your Zaurus, they can use it just like they can use any other machine to attack the local network," he wrote.
The problem is compounded because the Zaurus is a mobile device that could lead to a user bringing a compromised system to various locations and giving an attacker an access point into each network to which the user connects the infected handheld, .
"If a victim travels from his business to a customer site, then visits a vendor, all of their machines are, potentially, at risk," Chapin said. "This innocent travelling salesman has suddenly become the Typhoid Mary of the information age."
Users of the 5000-series handhelds should either discontinue the use of the QPE interface of which the affected FTP client is a part or should only connect to networks from behind a firewall until a patch is released, the group said.
The second vulnerability, which Chapin deemed "moderate", exploits a security feature built into Zaurus that stops any data from being entered into them if certain settings are triggered. An attacker could force the Zaurus to lock by attacking the table that stores the pass codes for locking and unlocking the screen in the system.
The team notified Sharp of the issues last month.
For now, independent developers have released fixes and workarounds for some of the problems, but they are geared toward more technical users, meaning that "non-techies aren't going to be protected," said Chapin.
"Until Sharp incorporates patches into the version of the Zaurus it's distributing, these security issues will remain."