Microsoft has promised to fix flaws in its Outlook for Android and iOS applications causing some devices handling corporate data to ignore IT departments' passcodes and encryption policies.
The bugs were discovered by Dirk Sigurdson, director of engineering at Rapid 7's Mobilisafe and mean existing Active Exchange controls, such as passcode or encryption policies, will have no effect on smartphones or tablets running the iOS and Android apps.
A Microsoft spokesperson told V3 the firm is aware of the issues and is working to improve the Outlook applications security and enterprise management features.
"Our first release was focused on bringing a great end-user experience to market. Today, Outlook for iOS and Android supports some IT controls like Remote Wipe," said the spokesperson.
"PIN lock will be available in the next few weeks, with additional features that support Exchange ActiveSync policies implemented over the coming months."
Sigurdson recommended IT departments using Active Exchange controls deactivate the applications, for now, despite Microsoft's assurances.
Microsoft launched the iOS and Android apps in January. They were soon labelled a "security nightmare" soon after when IBM researcher Rene Winkelmeyer reported finding several faults.
Robert Miller, senior security consultant at MWR InfoSecurity, said the flaws prove that companies should not assume products are secure by design and must be more proactive with their defence strategies.
"Businesses should be careful about making assumptions around the security features of a product," he said.
"In the case of the Microsoft Outlook mobile app, Microsoft made no claims that devices will follow ActiveSync security policies when the app is installed.
"It is important that companies take the time to investigate the security of products before using them.
"This could be done either directly by raising questions with the app's developers, or through third parties who can investigate the security of products."
Outlook is one of many popular services to have suffered flaws recently. Researchers at Sucuri reported finding a zero-day vulnerability in WordPress that was being exploited by hackers to infect thousands of websites earlier in February.
Meanwhile, three zero-day vulnerabilities known to have been actively exploited by hackers were found in Adobe Flash.
Citrix claims Workspot has 'continued to mislead the market' and use Citrix-patented features
Using proven technology from wireless, coax and ADSL/VDSL communication
Touts crowding genuine fans out of the market, claims government
Users complain they haven't been able to access their accounts or withdraw money