RIM warns of BlackBerry browser, BES vulnerabilities

BlackBerry-maker Research In Motion (RIM) yesterday issued two separate security advisories warning both BlackBerry smartphone users and corporate BlackBerry Enterprise Server (BES) administrators of newly discovered security flaws in many versions of RIM's BlackBerry handheld software and in BES.

The first advisory applies to BlackBerry smartphone users, and it warns of what RIM is calling a "partial Denial of Service (Dos)" attack, in which websites with hidden malicious code could potential freeze up users' BlackBerry Browsers and render them unable to surf the Web until the browser either restarts itself or the device is rebooted.

From RIM:

"This advisory relates to a BlackBerry Device Software vulnerability that could allow an attacker to maliciously craft a web page such that, when the BlackBerry device user views the page on a device running the affected BlackBerry Device Software, the browser application becomes unresponsive...Successful exploitation of this issue relies on the user viewing the maliciously crafted web page on a device running the affected BlackBerry Device Software."

The flaw ranks as "medium" severity on the Common Vulnerability Scoring System (CVSS), and RIM says it has issued updated BlackBerry handheld software to solve the problem. The vulnerability doesn't exactly require an urgent fix since the worse that will happen is an affected user's browser might freeze up. But RIM says any and all BlackBerry users running handheld software version 5.0.0 to 6.0.0 should check their wireless carrier's websites or BlackBerry.com for software updates. BlackBerry handheld software prior to v5.0.0 is not supported and software newer than v6.0.0 is not affected, according to RIM.

(Note: Even if RIM has pushed software updates to wireless carriers to address the issue, it often takes those carriers time to examine and approve the software. If no update is currently available for your device, and you find your browser freezing up, RIM suggests simply waiting until the problem resolves itself or resetting your BlackBerry by removing its battery.)

The last major BlackBerry-Browser-related security flaw identified by RIM was in September of 2009.

The second BlackBerry security advisory released yesterday relates to yet another flaw in the PDF Distiller component of RIM's BlackBerry Enterprise Server. Issues with the troublesome BES PDF distiller have been identified as "severe" risks in at least five different RIM security advisories since the summer of 2008. (Read about the last PDF-Distiller-related security advisory, issued just last month.)

From RIM:

"The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file."

"Successful exploitation of this vulnerability requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message or the BlackBerry smartphone user may retrieve it from a web site using the BlackBerry Browser."

This latest security advisory has highest CVSS score I've seen tied to any such BlackBerry warning, 9.3 out of 10, with 10 representing the most severe threats. RIM says any and all BlackBerry administrators running full BES, BES Express or BlackBerry Professional Software for Microsoft Exchange, IBM Lotus Domino or Novell GroupWise should visit its server downloads page to see if a security update is available.

For more information on the partial DoS attack that could affect BlackBerry smartphone users or the newly identified BES vulnerability, visit RIM's advisory pages here and here, respectively.

Join the CSO newsletter!

Error: Please check your email address.

Tags Blackberryresearch in motionconsumer electronicssecurityPhones

More about BlackBerryIBM AustraliaIBM AustraliaMicrosoftMotionNovellResearch In MotionResearch In Motion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Al Sacco

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place