iOS6 devices erroneously take ownership of meetings


One of the great benefits to running one of the world’s largest Exchange deployments is that we at Microsoft get to see all the things that our customers face on a daily basis. With the recent release of iOS6, we have noticed a marked increase in support calls due to meetings having the owner of the meeting changed (sometimes called “meeting hijacking”). Most instances reported to us to date involve users with delegates who first open a meeting request in Outlook and then act on that same meeting in iOS.

Meeting issues are a large part of the challenges that we know some organizations see with 3rd party devices (here is our list). Unfortunately the recent iOS update has exacerbated one of these issues. We wanted to let you know about this issue as well as let you know that we have discussed this issue with Apple. We are also looking at ways that we can continue to harden the Exchange infrastructure to protect our servers and service from poorly performing clients.

In the meantime we wanted to offer a few mitigation options:

  • Tell users not to take action on calendars on iOS We’re not seeing this particular issue if users don’t take action on their calendar items (for example, accept, delete or change meetings).

  • Switch iOS users to POP3/IMAP4 Another option is to switch users over to POP/IMAP connections. This will remove calendar and contacts functionality while allowing users to still use email (though the email may shift to pull from push while using these protocols).

  • 3rd party clients/OWA Moving impacted users over to another email client that is not causing these issue for your organization may help alleviate the pain here. There are a number of other client options (OWA being one of them of course). Numerous clients are available in mobile application stores. We don’t recommend any particular client.

  • Block delegates Many of the issues we are seeing involve delegates. An admin can take the less drastic step of using the Allow/Block/Quarantine list to block only users who are delegates, or have a delegate, to minimize the impact here.

  • Block iOS 6 devices Exchange server comes with the Allow/Block/Quarantine functionality that enables admins to block any device or user.

  • Tell users not to upgrade to iOS 6 or to downgrade their devices – This solution may work as a temporary fix until Apple provides a fix but many users may have already made the decision to update.

  • Wait We do not have any information on the timeline of a fix from Apple but if this timeline is short, this may be the easiest course of action. Please contact Apple about any potential fix or timeline for its delivery.

  • Our support team has also published a KB article on this issue that you can read here. And we will update this post when a fix is available or we have additional information.

  • Adam Glick
    Sr. Technical Product Manager

Comments (42)
  1. Amit says:

    Steve Job is not there, else we might have not seen all this.

  2. Yps says:

    This seems to by a big design mistake, if this is possible to change from client, and not verified by server.

  3. Andrew Laurence says:

    It sounds like EAS does not sufficiently validate endpoint calendar operations.  I'd like to hear more about how EAS will be hardened against this kind of exploit.  

  4. Rick Stone says:

    Thanks, Adam.  This is very helpful.

  5. eas says:

    I had a ticket open with MS on this very thing…glad to see it officially announced as an issue.  Like others are saying, even though iOS is not doing what it should, why is the server allowing it to happen in the first place?  My issues are with non-organizer/non-delegates randomly (and non-interactively) cancelling meetings that they are simply attendees of.  The server should crosscheck permissions and deny it, even if the device thinks it can.  Sounds more like an exploit waiting to happen to me…both Apple and MS need to patch this up.

  6. Corporate Nightmare says:

    While it would be great for Apple to release a fix, this is just the latest incarnation of this LONG standing issue.  The ultimate fix for this is to have Microsoft patch this clear vulnerability in the ActiveSync code in Exchange (this has been going on since at least Exchange 2003).  If they patch this, it only takes care of those Apple devices and I'm sure this is coming from other vectors as well, plus we have to rely on people upgrading their devices including people outside of our company, so it's not a real fix.  

    This issue in the corporate space usually generates the highest visibility because the issue is related to delegates, usually execs and is a nightmare.  I am happy that the latest blowup of this has raised the attention of both vendors to hopefully get this fixed once and for all.  

    Microsoft, please fix this soon.

  7. Steven Presley says:

    I kind of agree.  I can't think of a mobile use case (or even a non-mobile) where taking over a meeting as the organizer should be allowed.  This seems to be a weakness in the protocol itself.

  8. If this is occurring with delegates then that seems like less of a server exploit and more of a client issue. Will be watching the outcome of this with great interest.

  9. David says:

    This is definitely an Exchange security issue.  Blaming Apple is not a solution.  Any other device, or a malicious program, could do the same thing.  The root problem lies with Exchange allowing behavior that clearly should be prevented.

  10. clarkeb says:

    We have lots of cases of this happening as well as we have 100's of devices like this getting upgraded all the time and constantly get questions about dissappearing items from people calendars.

    Can easily repeat this as well

  11. John says:

    I'd love to see the IT department that gets fired for blocking iOS6 on their Exchange servers.    With most IT departments one step away from being outsourced, this would likely tip the scales for some.

    The odd thing is, Microsoft doesn't make it easy for iOS to act correctly on most calendar info anyway.. so most iOS owners don't act on calendars that are from Exchange.     Ever tried forwarding a meeting?  You can't.   Simple stuff like that.    Microsoft and Apple need to work together more on this stuff rather than trying to block each other out of functionality.     Nobody wins in that game.. not in the day and age of consumerization.

  12. Bart says:

    We see this with Android phones as well.  Seems like a server side issue that Microsoft would only fix if it happened to their failed Windows phones.

  13. tony says:

    >>While it would be great for Apple to release a fix, this is just the latest incarnation of this LONG standing issue.

    Yes, I've been seeing this under iOS 5.x for quite some time…  this is not an iOS6 issue only.

    > Ever tried forwarding a meeting?  You can't.   Simple stuff like that.

    Actually forwarding & delegating figure into the problem..I've mostly only seen this problem when someone forwards an invite,  and only when the original invite is from OUTSIDE our exchange organization.   We never have problems with iOS devices and meetings originated from within our own exchange organization.     Having a delegate forward also appears to be part of the problem (delegation issues).

    We basically ask our people to not accept/decline/modify EXTERNAL customer invites on their iOS devices or OSX Mail / iCal.    Outlook 2011 on OS X  is fine.

    What I don't understand is, if a device messes up who the Organizer is, while Exchange would even allow an external client/device to corrupt the originating invite.

  14. vincent says:

    We have a lot of case where meeting are "moved" when viewed/edited in iOS.  It was happennig with iOS 5.x as well.  When a user edit or accept a meeting from an iOS device, the meeting dates are changed.  Usually pushed one day later.  Is this part of the same issue?  Anyone had this kind of problem?

  15. Gengaiyan_1 says:

    This is good news that Microsoft announced the issue officially, we are using Zenprise device manager along with Touchdown 3rd party app and we didn't see this kind of problems in iOS6.

  16. Mike M says:

    I am trying to reproduce this issue in our environment but I am not able to. Can someone walk me through the steps? We have Exchange 2010 SP2 with 2000 IOS devices 500 of them have been upgraded to IOS 6 already.

    Thanks

  17. Bharat Suneja [MSFT] says:

    @Gangaiyan: If your users are using a third-party Exchange ActiveSync client, they may not be impacted. As indicated in the post, using a third-party client is one of the suggested workarounds.

  18. clarkeb says:

    Mike M… to reproduce do this all i did was get the PA of a user as in the delegate accept or modify an appointment on the mobile device directly and then watch it dissappear from the managers client.

    The Pa or delegate needs to have full permissions to the persons calendar for it to happen i found. And yes i found this happened well before IO6 was in play

  19. Mike M says:

    Brenton

    So the delegate is not required to have an IOS6 device only the manager and the delegate needs to accept the meeting in her or his device and which in this case the manager should have "send meeting to my delegate only" setting in his outlook? Correct? In our environment PA do not have devices.

  20. sadda@outlook.com says:

    @Andrew; Steven Presley; Tony…

    (ref: http://www.zarafa.com/…/ios6-meeting-hijacking-fixed-open-source-activesync-implementation-z-push)

    Whenever a meeting item is pushed to the iPhone in which there are no attendees, the iPhone will assume that it is the organizer of that meeting. This is absolutely incorrect, and is the root cause of all the problems…

    This is a nasty 0-attendee bug in iOS!

    Why Exchange allows EAS client to do this?

    An EAS client is 'allowed' to just change the organizer of the meeting in the appointment. All it has to do is send a 'bad' item update to the server and the server will accept this. Until now it always 'trusted' the client not to break things, and not disallowed any bad behavior from clients.

    Even if you block the EAS client from changing the item in the calendar, the device is actually sending it's own SMTP messages to actually send the cancellation…

  21. Vrai_bunny says:

    Hi,

    How to block a device with iOS6?

    As the article you linked explains, you cannot filter the device by OS.

  22. sadda@outlook.com says:

    @Vrai,

    See the "Setting up a rule for unknown devices" in that article. Add one of the user (using iOS 6) to the custom list. And then create a rule by selecting "this kind of devices".

    This should work!

  23. james says:

    Definitely a MS Exchange problem in the way it deals with client requests (regardless of how well they are written or the spin).  I would call it a vulnerability if a user becomes an owner of an object they shouldn't own.

  24. Paul N. says:

    So far I have only seen this in our environment when someone has a delegate who is also the delegate of other people.  User 1, User 2, and User 3 all use User 4 as their delegate.  Users 1-3 have iOS phones and User 4 does NOT.  User 4 creates a meeting on behalf of User 1 and invites Users 2 and 3 (along with other attendees).  User 4 accepts it on behalf of Users 2 and 3.  User 2 sends a cancellation and becomes the owner of a new event of the same name/time/location that is only sent to himself.  I know that it is not the original item as his Sent Items contains both a cancelation notification and a meeting invite sent only to himself

    What is particularly odd about this is that he never processed the meeting/request from his iOS device (or so goes the claim).  

    As to everyone else making comments about iOS 5, yes, there has been issues with that and Calendars, but honestly, I don't recall a version of iOS that never had some problem with Calendars.  It has been quirky for as long as I have been using it (which was iOS 3).  

    Lastly, what would it take to simply "Block" ActiveSync commands that don't properly cater to the specifications?  My understanding is that iOS does something incorrectly that Exchange doesn't allow, but at the same time doesn't block.  Like running a stop sign; I’m not “allowed” to run a stop sign, but I am never penalized for it unless a police officer catches me in the act.  At what point can Exchange become a traffic cop, or would that create issues (political or otherwise) with the ActiveSync licensees?

  25. chris johnson says:

    Please take the initiative and do something about this Microsoft – at least talk to Apple and link to their update. We are having to field the complaints about it and all we can tell the users is that Microsoft knows about the problem… I would say 90%+ of our user base have iphones. Now we just told them that those devices should not be used for calendar management…

  26. Doug says:

    This issue pre-dates iOS6.  We've had an open Premier Support case since the summer.  Hey Exchange Team  –  tell the developers they need to make sure NO ONE but the meeting organizer or their delegate can change a meeting.  Let's see the fix in the next update rollup. Thanks.

  27. Anthony says:

    Hey Adam, be aware that downgrading to iOS 5 isn't an option and isn't permitted by Apple. Not sure why you're suggesting this, it hasn't been something you could do officially for 2-3 years now. Once you upgrade you are stuck at that version for lack of a better term and attempts to downgrade will fail.

  28. Daniel says:

    Noooo, please, noooo, the problem is in Exchange Server that allows exploit the bug….

  29. Matthew Arnold says:

    iOS 6.0.1 came out today, and apparently fixes this issue!!!

    "Fixes a bug affecting Exchange meetings"

  30. Agustin says:

    Official Apple Support page:

    iOS 6.0.1 Software Update

    support.apple.com/…/DL1606

  31. Molly DeMink says:

    I did not upgrade to iOS6 yet was a victim of the meeting hijacking situation!  I held off because I was out of town and did not have access to my home computer to do this.  Sooooo, how did this happen to me? Thanks!

  32. Paul N. says:

    Now a question the the ExTeam: "How possible is having future versions of Exchange deny updates from ActiveSync devices that don't adhere to MS-written specifications?"  

    No matter how screwy Apple gets with their coding, if something is blocked & logged by Exchange, that could help to mitigate issues during the testing phases from Apple.  

  33. Karsten says:

    Hi Exchange Team: Your Article states "we will update this post when a fix is available" according to the documentation of IOS 6.01 this is fixing the Problem. Since your Post ist not update – does this mean the IOS 6.01 update is not correcting the error or are you still testing?

  34. buffer overflow 0xG says:

    1) It happens with Android devices as well

    2) The more meeting attendees, the more likely it will happen

    3) Recurring meetings more likely than single ones (but can be either)

    4) There is a KB article for Exchange 2007 (2521063), but none for 2010

    5) Even happens when the iPad user is in a different domain. This is, IMO, proof positive that it is an Exchange problem (as well). No one from a different domain should ever be able to cause an appointment in an organiser's mailbox to be deleted; yet that is exactly what is happening to us.

    I would like to believe that Exchange 2010 SP1 RU 7v2 or Exchange 2010 SP2 RU 4v2 will fix the problem, however I have yet to see any indication that this is even acknowledged as an Exchange problem.

  35. Paul N. says:

    @ Buffer Overflow:

    "5) Even happens when the iPad user is in a different domain. This is, IMO, proof positive that it is an Exchange problem (as well). No one from a different domain should ever be able to cause an appointment in an organiser's mailbox to be deleted; yet that is exactly what is happening to us."

    What do you mean by "happens when the iPad user in in a different domain"?  Do you mean that someone in a different domain sends a meeting request that is then "Adjusted" on the iOS device of a user in a different domain?  If so, I don't see how it is much different than being in the same domain; the entry on Dave's calendar from Company A is the original but was sent to Joe at Company B.  Joe accepts the meeting (whether by his own hand or by his delegate) then later his iOS device "Updates" the appointment to mark him as the organizer and may or may not send a cancellation to Dave and/or other attendees.  

    The issue is not that Exchange has a bug, but rather the problem is in Apple's implementation of ActiveSync.  Sure, Exchange could act as a "Gatekeeper" and deny this type of erroneous update, which would be a very helpful thing to mitigate these issues before they occur, but as long as EAS is implemented properly there should be no need for this.  

  36. buffer overflow 0xG says:

    <quote>What do you mean by "happens when the iPad user in in a different domain"?  Do you mean that someone in a different domain sends a meeting request that is then "Adjusted" on the iOS device of a user in a different domain?</quote>

    Someone in my domain invites someone *outside* our domain – different forest if you will – and that person responds using his iPad. He declines, and the meeting is deleted – completely – from the calendar of the organizer in my domain. This, as I indicated, should never happen; but especially when the person invited/declining is in another domain. He has no credentials/authority in our domain at all. In fact, only the organizer has permission to change or delete appointments on their own calendar.

    Finally – as I understand it – the *other* invitees (inside our domain) receive "cancellation" notices.

    So I think that there are two problems: the iOS and Android devices are not following the protocols correctly, AND Exchange is reacting incorrectly to the malformed responses.

    <quote> If so, I don't see how it is much different than being in the same domain; the entry on Dave's calendar from Company A is the original but was sent to Joe at Company B.  Joe accepts the meeting (whether by his own hand or by his delegate) then later his iOS device "Updates" the appointment to mark him as the organizer and may or may not send a cancellation to Dave and/or other attendees. </quote>

    Joe can send all the crap he wants; he should not be able to *delete* Dave's meeting.

    <quote>The issue is not that Exchange has a bug, but rather the problem is in Apple's implementation of ActiveSync.  Sure, Exchange could act as a "Gatekeeper" and deny this type of erroneous update, which would be a very helpful thing to mitigate these issues before they occur, but as long as EAS is implemented properly there should be no need for this.</quote>

    (Welcome to the brave new world :-)

    Apple AND Google. I have experienced this myself where one of my staff carrying an Android phone gets the message "you cannot accept the invitation, as you are the organizer" – or words to that effect.

    This is complex stuff, and hard to nail down; I agree. But as I have said, we can't just point fingers here.

  37. Carl B says:

    We've had this happen a few times on our Android devices as well, so this is absolutely NOT just an Apple issue. This is most DEFINATELY an issue with ActiveSync in general. We opened a PSS case with Microsoft a week ago which has resulted in no solutions. We are in the process of contacting Google and they are telling us that they are aware of other customers experiencing the same issues and have determined it is up to Microsoft to fix. We're in a complete catch-22 at the moment.

    In a nutshell – this sucks. Fortunately, it only occurs about once a week, but Microsoft needs to seriously fix their Exchange software and we can confirm this is NOT an Apple iOS-related issue.

  38. oraps1999@gmail.com says:

    We still face this Exchange calendar meeting hijack issue.

    Does anyone have any update on this issue?

  39. Loren Charlston says:

    I don't have a IPhone anymore and can't tell where my old IPhone would still be showing up.  Can you help me?  I have the new Nokia 920 Windows phone which I really like and don't want anything that says IPhone on my Microsoft account.  That was my internal agreement with myself when I accepted the Windows phone rebate to not use the IPhone which I have done.  Thanks for the help in advance. Loren

Comments are closed.

Skip to main content