Just published 11-28-08
BlackBerry Desktop Software FlexNET Connect ActiveX Control Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com
Advisory from RIM:
Updating an ActiveX control that the Roxio Media Manager uses
Quote:
Environment
BlackBerry® Desktop Software versions 4.2.2 to 4.7
Microsoft® Internet Explorer version (all versions)
--------------------------------------------------------------------------
Overview
The BlackBerry Desktop Manager includes the Roxio® Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft® Windows computer. The Roxio Media Manager includes a Microsoft® ActiveX® control used for retrieving and installing application updates. The ActiveX control has the following properties:
ActiveX control property Value
Name DWUpdateService
Class identifier 551E5190-19C7-4626-9D54-FB20355E6467
--------------------------------------------------------------------------
Problem
A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.
Research In Motion (RIM) is tracking this issue as SDR234293.
RIM recommends that you follow the instructions provided here to determine whether your system is affected and where BlackBerry smartphone users can download updated software that addresses the issue.
--------------------------------------------------------------------------
Resolution
Determine whether your system is affected
On the computer on which the BlackBerry Desktop Software is installed, browse to <COMMONFILES>\InstallShield\UpdateService\agent.ex e (on most systems, C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe)
Right-click agent.exe and select Properties.
Click the Version tab and verify the version shown. If the File version is 6.0.100.65100 or earlier, the file is affected and can be protected by upgrading the software.
-------------------------------------------------------------------------
Upgrade the BlackBerry Desktop Software
If the affected version of agent.exe is present on the computer on which the BlackBerry Desktop Software is installed, upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6, or 4.7.
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.
Visit https://www.blackberry.com/Downloads...93E4F3BB068C22.
In the drop-down list, select BlackBerry Desktop Software v.4.5, BlackBerry Desktop Software v.4.6, or BlackBerry Desktop Software v.4.7 and click Next.
Choose a BlackBerry Desktop Manager bundle to download that includes the With Media Manager option.
Complete the download process and follow the installation instructions to compete the upgrade process.
OR:
Install a patch from a third-party software vendor
If you do not want to upgrade your BlackBerry Desktop Software, you can install a patch from third-party software vendor Acresso™ Software to address the issue.
Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information, and to download and install the FLEXNet® Connect patch from Acresso Software.
Acknowledgements
RIM worked with Sonic Solutions to address the vulnerability, which was identified by US-Computer Emergency Readiness Team Coordination Center (CERT/CC). This article is in reference to US-CERT Advisory VU# 524681.
Additional Information
Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.
Visit US-CERT Vulnerability Note VU#524681 for the related US-CERT advisory.
Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information.
|
(Bolded text by me)
So the bottom line is that users should check the properties of the file shown in the screenshot here.
If the File version is 6.0.100.65100 or earlier, they need to upgrade Desktop Manager meaning, re-download and install 4.5, 4.6, or 4.7 because RIM has replaced/upgraded the file to a newer version now.
In summary:
If you have BlackBerry Desktop Manager versions 4.2 through 4.7, you should check the file properties shown in the screenshot. To get there, open My Computer > Program Files > Common Files > Install Shield > Update Service. Right click the file 'agent.exe', and click Properties. You can see the file version in the screenshot. My version needs to be updated because its lower than 6.0.100.65100.
Note, the advisory says
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.
That means if you have DM 4.2, you should upgrade to at least 4.5 to fix the vulnerability.
If you have Desktop Manager installed without Roxio, check the file still, but you should not need to upgrade according to my understanding.
Any questions, ask.